mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-07 02:25:19 +00:00
28 lines
680 B
Plaintext
28 lines
680 B
Plaintext
/* Disabled due to Benjamin Delphys sig overlap
|
|
rule LSASS_memory_dump_file {
|
|
meta:
|
|
description = "Detects a LSASS memory dump file"
|
|
author = "Florian Roth"
|
|
date = "2015/03/31"
|
|
memory = 0
|
|
score = 50
|
|
strings:
|
|
$s1 = "lsass.exe" ascii fullword
|
|
$s2 = "wdigest.DLL" wide nocase
|
|
condition:
|
|
uint32(0) == 0x504D444D and all of them
|
|
} */
|
|
|
|
rule NTLM_Dump_Output {
|
|
meta:
|
|
description = "NTML Hash Dump output file - John/LC format"
|
|
author = "Florian Roth"
|
|
date = "2015-10-01"
|
|
score = 75
|
|
strings:
|
|
$s0 = "500:AAD3B435B51404EEAAD3B435B51404EE:" ascii
|
|
$s1 = "500:aad3b435b51404eeaad3b435b51404ee:" ascii
|
|
condition:
|
|
1 of them
|
|
}
|