YARA rules for Contagious Interview
58 rules · scoped to actor · back to Contagious Interview
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule hacktool_windows_mimikatz_copywrite
{
meta:
description = "Mimikatz credential dump tool: Author copywrite"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
md5_1 = "0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8"
md5_2 = "0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b"
md5_3 = "0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143"
md5_4 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
md5_5 = "09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca"
md5_6 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
strings:
$s1 = "Kiwi en C" fullword ascii wide
$s2 = "Benjamin DELPY `gentilkiwi`" fullword ascii wide
$s3 = "http://blog.gentilkiwi.com/mimikatz" fullword ascii wide
$s4 = "Build with love for POC only" fullword ascii wide
$s5 = "gentilkiwi (Benjamin DELPY)" fullword wide
$s6 = "KiwiSSP" fullword wide
$s7 = "Kiwi Security Support Provider" fullword wide
$s8 = "kiwi flavor !" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and /* Added by Florian Roth to avoid false positives */
any of them
}
rule hacktool_windows_mimikatz_errors
{
meta:
description = "Mimikatz credential dump tool: Error messages"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
md5_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
md5_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
strings:
$s1 = "[ERROR] [LSA] Symbols" fullword ascii wide
$s2 = "[ERROR] [CRYPTO] Acquire keys" fullword ascii wide
$s3 = "[ERROR] [CRYPTO] Symbols" fullword ascii wide
$s4 = "[ERROR] [CRYPTO] Init" fullword ascii wide
condition:
all of them
}
rule hacktool_windows_mimikatz_files
{
meta:
description = "Mimikatz credential dump tool: Files"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
md5_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
md5_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
strings:
$s1 = "kiwifilter.log" fullword wide
$s2 = "kiwissp.log" fullword wide
$s3 = "mimilib.dll" fullword ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and /* Added by Florian Roth to avoid false positives */
any of them
}
rule hacktool_windows_mimikatz_modules
{
meta:
description = "Mimikatz credential dump tool: Modules"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
modified = "2023-07-26"
md5_1 = "0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8"
md5_2 = "0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b"
md5_3 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
md5_4 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
md5_5 = "0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143"
strings:
$s1 = "mimilib" fullword ascii wide
$s2 = "mimidrv" fullword ascii wide
$s3 = "mimilove" fullword ascii wide
$fp1 = "SgrmEnclave" wide
$fp2 = "Kaspersky Lab Anti-Rootkit Monitor Driver" wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and /* Added by Florian Roth to avoid false positives */
1 of ($s*) and
not 1 of ($fp*)
}
rule hacktool_windows_mimikatz_sekurlsa
{
meta:
description = "Mimikatz credential dump tool"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
SHA256_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
SHA256_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
strings:
$s1 = "dpapisrv!g_MasterKeyCacheList" fullword ascii wide
$s2 = "lsasrv!g_MasterKeyCacheList" fullword ascii wide
$s3 = "!SspCredentialList" ascii wide
$s4 = "livessp!LiveGlobalLogonSessionList" fullword ascii wide
$s5 = "wdigest!l_LogSessList" fullword ascii wide
$s6 = "tspkg!TSGlobalCredTable" fullword ascii wide
condition:
all of them
}
rule Empire_Invoke_Mimikatz {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "c5481864b757837ecbc75997fa24978ffde3672b8a144a55478ba9a864a19466"
id = "f7d6c1c4-2a24-54fd-b745-32d7894affc8"
strings:
$s1 = "$PEBytes64 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwc" ascii
$s2 = "[System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)" fullword ascii
$s3 = "Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp" fullword ascii
condition:
filesize < 2500KB and 2 of them
}
rule Empire_lib_modules_credentials_mimikatz_pth {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file pth.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "6dee1cf931e02c5f3dc6889e879cc193325b39e18409dcdaf987b8bf7c459211"
id = "f954b7e8-e820-5111-ba8d-a9b9779381b0"
strings:
$s0 = "(credID, credType, domainName, userName, password, host, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]" fullword ascii
$s1 = "command = \"sekurlsa::pth /user:\"+self.options[\"user\"]['Value']" fullword ascii
condition:
filesize < 12KB and all of them
}
rule OPCLEAVER_mimikatzWrapper
{
meta:
description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "e9427e29-e581-5a5b-8f1d-4b9bfeec0946"
strings:
$s1 = "mimikatzWrapper"
$s2 = "get_mimikatz"
condition:
all of them
}
rule OPCLEAVER_zhmimikatz
{
meta:
description = "Mimikatz wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "fba8ab6e-3b61-53a1-b4df-178442e3cf24"
strings:
$s1 = "MimikatzRunner"
$s2 = "zhmimikatz"
condition:
all of them
}
rule Powerkatz_DLL_Generic {
meta:
description = "Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "PowerKatz Analysis"
date = "2016-02-05"
super_rule = 1
score = 80
hash1 = "c20f30326fcebad25446cf2e267c341ac34664efad5c50ff07f0738ae2390eae"
hash2 = "1e67476281c1ec1cf40e17d7fc28a3ab3250b474ef41cb10a72130990f0be6a0"
hash3 = "49e7bac7e0db87bf3f0185e9cf51f2539dbc11384fefced465230c4e5bce0872"
id = "7464f8a1-9f45-580b-8a97-a57071092e3c"
strings:
$s1 = "%3u - Directory '%s' (*.kirbi)" fullword wide
$s2 = "%*s pPublicKey : " fullword wide
$s4 = "<3 eo.oe ~ ANSSI E>" fullword wide
$s5 = "\\*.kirbi" wide
$c1 = "kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)" fullword wide
$c2 = "kuhl_m_lsadump_getComputerAndSyskey ; kuhl_m_lsadump_getSyskey KO" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them ) or 2 of them
}
rule mimikatz_lsass_mdmp {
meta:
description = "LSASS minidump file for mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
id = "3d850dbe-1342-55ac-b0f7-91343d88f147"
strings:
$lsass = "System32\\lsass.exe" wide nocase
condition:
(uint32(0) == 0x504d444d) and $lsass and filesize > 50000KB and not filename matches /WER/
}
rule MSBuild_Mimikatz_Execution_via_XML {
meta:
description = "Detects an XML that executes Mimikatz on an endpoint via MSBuild"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml"
date = "2016-10-07"
id = "98aa68b9-6de4-5353-8d87-9e974529c044"
strings:
$x1 = "<Project ToolsVersion=" ascii
$x2 = "</SharpLauncher>" fullword ascii
$s1 = "\"TVqQAAMAAAA" ascii
$s2 = "System.Convert.FromBase64String(" ascii
$s3 = ".Invoke(" ascii
$s4 = "Assembly.Load(" ascii
$s5 = ".CreateInstance(" ascii
condition:
all of them
}
rule Mimikatz_Gen_Strings {
meta:
description = "Detects Mimikatz by using some special strings"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-06-19"
super_rule = 1
hash1 = "058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4"
hash2 = "eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85"
hash3 = "f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159"
id = "3f4ab5d7-5a9f-55f0-9dda-e2975df582a0"
strings:
$s1 = "[*] '%s' service already started" fullword wide
$s2 = "** Security Callback! **" fullword wide
$s3 = "Try to export a software CA to a crypto (virtual)hardware" fullword wide
$s4 = "enterpriseadmin" fullword wide
$s5 = "Ask debug privilege" fullword wide
$s6 = "Injected =)" fullword wide
$s7 = "** SAM ACCOUNT **" fullword wide
condition:
(uint16(0) == 0x5a4d and filesize < 12000KB and 1 of them)
}
rule Impacket_Tools_mimikatz {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1"
id = "0b1f5ad0-7070-58d5-946f-157dcb9627ab"
strings:
$s1 = "impacket" fullword ascii
$s2 = "smimikatz" fullword ascii
$s3 = "otwsdlc" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule HvS_APT37_mimikatz_loader_DF012 {
meta:
description = "Loader for encrypted Mimikatz variant used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Marc Stroebel"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "42e4a9aeff3744bbbc0e82fd5b93eb9b078460d8f40e0b61b27b699882f521be"
strings:
$s1 = ".?AVCEncryption@@" fullword ascii
$s2 = "afrfa"
condition:
uint16(0) == 0x5a4d and filesize < 200KB and
(pe.imphash() == "fa0b87c7e07d21001355caf7b5027219") and (all of them)
}
rule mimikatz_kirbi_ticket
{
meta:
description = "KiRBi ticket for mimikatz"
author = "Benjamin DELPY (gentilkiwi); Didier Stevens"
id = "a37249e0-ab3b-50c2-9473-1e69185713cc"
strings:
$asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
$asn1_84 = { 76 84 ?? ?? ?? ?? 30 84 ?? ?? ?? ?? a0 84 00 00 00 03 02 01 05 a1 84 00 00 00 03 02 01 16 }
condition:
$asn1 at 0 or $asn1_84 at 0
}
rule StegoKatz {
meta:
description = "Encoded Mimikatz in other file types"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/jWPBBY"
date = "2015-09-11"
score = 70
id = "78868bb0-af69-573d-afd2-350a46f69137"
strings:
$s1 = "VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0ls" ascii
$s2 = "Rpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Va" ascii
condition:
filesize < 1000KB and 1 of them
}
rule Obfuscated_VBS_April17 {
meta:
description = "Detects cloaked Mimikatz in VBS obfuscation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-04-21"
id = "ca60b885-bb56-55ee-a2b3-dea6958883c2"
strings:
$s1 = "::::::ExecuteGlobal unescape(unescape(" ascii
condition:
filesize < 500KB and all of them
}
rule Obfuscated_JS_April17 {
meta:
description = "Detects cloaked Mimikatz in JS obfuscation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-04-21"
id = "44abd2c0-5f8d-5a8c-b282-a09853e12054"
strings:
$s1 = "\";function Main(){for(var " ascii
$s2 = "=String.fromCharCode(parseInt(" ascii
$s3 = "));(new Function(" ascii
condition:
filesize < 500KB and all of them
}
rule Invoke_Mimikatz {
meta:
description = "Detects Invoke-Mimikatz String"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz"
date = "2016-08-03"
hash1 = "f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67"
id = "37de51a6-e1bb-5ee7-9b7f-8fe17b3697b5"
strings:
$x2 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm" ascii
$x3 = "Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp" fullword ascii
condition:
1 of them
}
rule BadRabbit_Mimikatz_Comp {
meta:
description = "Auto-generated rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://pastebin.com/Y7pJv3tK"
date = "2017-10-25"
hash1 = "2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035"
id = "52affd3f-6bf9-55f6-92a5-69314a2e76e0"
strings:
$s1 = "%lS%lS%lS:%lS" fullword wide
$s2 = "lsasrv" fullword wide
$s3 = "CredentialKeys" ascii
/* Primary\x00m\x00s\x00v */
$s4 = { 50 72 69 6D 61 72 79 00 6D 00 73 00 76 00 }
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and 3 of them )
}
rule Chafer_Mimikatz_Custom {
meta:
description = "Detects Custom Mimikatz Version"
author = "Florian Roth (Nextron Systems) / Markus Neis"
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
date = "2018-03-22"
hash1 = "9709afeb76532566ee3029ecffc76df970a60813bcac863080cc952ad512b023"
id = "80f751c3-d7ca-5ff6-a905-38650e1c4ec5"
strings:
$x1 = "C:\\Users\\win7p\\Documents\\mi-back\\" ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them
}
rule Chafer_Packed_Mimikatz {
meta:
description = "Detects Oilrig Packed Mimikatz also detected as Chafer_WSC_x64 by FR"
author = "Florian Roth (Nextron Systems) / Markus Neis"
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
date = "2018-03-22"
hash1 = "5f2c3b5a08bda50cca6385ba7d84875973843885efebaff6a482a38b3cb23a7c"
id = "abd34c6a-7d99-5f52-be8e-a7d634d61255"
strings:
$s1 = "Windows Security Credentials" fullword wide
$s2 = "Minisoft" fullword wide
$x1 = "Copyright (c) 2014 - 2015 Minisoft" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 300KB and ( all of ($s*) or $x1 )
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAF0 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e"
hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919"
hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da"
hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1"
hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06"
hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f"
hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4"
hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5"
hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987"
hash = "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1"
hash = "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37"
hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2"
hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263"
hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2"
hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576"
hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0"
hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f"
hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0"
hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b"
hash = "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905"
hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c"
hash = "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa"
hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3"
hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524"
hash = "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55"
hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778"
hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59"
hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719"
hash = "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de"
hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254"
hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f"
hash = "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a"
hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db"
hash = "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe"
hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a"
hash = "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908"
hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167"
hash = "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96"
hash = "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601"
hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875"
date = "2024-08-07"
score = 70
id = "57e5655e-1313-585f-931c-d892e8952d0e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000320030002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_DDF4 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a"
hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0"
hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895"
hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7"
hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2"
hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe"
hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8"
hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736"
hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3"
hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870"
hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab"
hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7"
hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39"
hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920"
hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6"
date = "2024-08-07"
score = 70
id = "0b38be06-60df-5b49-a748-eb175e1db33f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0F58 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597"
hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212"
hash = "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35"
hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8"
hash = "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a"
hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa"
hash = "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03"
hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1"
hash = "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66"
hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112"
hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0"
hash = "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1"
hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3"
hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd"
date = "2024-08-07"
score = 70
id = "0531a88d-cb21-5055-b365-a80b6e99a6e9"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310034002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_7662 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d"
hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec"
hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9"
hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09"
hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff"
hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25"
hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe"
hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9"
hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2"
hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b"
hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85"
hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15"
hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd"
hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b"
hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19"
hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a"
hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715"
hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a"
hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b"
hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878"
hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be"
hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2"
hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e"
date = "2024-08-07"
score = 70
id = "2bb58484-03d2-5ccc-b165-cfe405f60f03"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_14B8 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925"
hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475"
hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653"
hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968"
hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38"
hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f"
hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f"
hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266"
hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6"
hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4"
hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550"
hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c"
hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c"
hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb"
hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be"
hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231"
hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb"
hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a"
hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47"
hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12"
hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972"
hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7"
hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7"
hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd"
hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96"
hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac"
hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93"
hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc"
hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad"
hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b"
hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852"
date = "2024-08-07"
score = 70
id = "a9965f8f-4969-52ae-953f-a06d8fabe951"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_41AD {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f"
hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7"
hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac"
hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad"
hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6"
hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80"
hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4"
hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a"
hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021"
hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392"
hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434"
hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c"
hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af"
hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c"
hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55"
hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9"
date = "2024-08-07"
score = 70
id = "8a8887dd-0f3d-5ab4-a945-b47966789b99"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8"
date = "2024-08-07"
score = 70
id = "0160f2aa-f60f-5590-be0a-6751487eab92"
strings:
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_2FD4 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21"
hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28"
hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553"
date = "2024-08-07"
score = 70
id = "e77f1fc7-4700-5afe-908f-b0d206757365"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2"
hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640"
date = "2024-08-07"
score = 70
id = "888de0dc-5643-5e55-8272-9363cc55bfcf"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule Mimikatz_Memory_Rule_1 : APT {
meta:
author = "Florian Roth"
date = "2014-12-22"
modified = "2023-07-04"
score = 70
nodeepdive = 1
description = "Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)"
id = "55cc7129-5ea0-5545-a8f6-b5306a014dd0"
strings:
$s1 = "sekurlsa::wdigest" fullword ascii
$s2 = "sekurlsa::logonPasswords" fullword ascii
$s3 = "sekurlsa::minidump" fullword ascii
$s4 = "sekurlsa::credman" fullword ascii
$fp1 = "\"x_mitre_version\": " ascii
$fp2 = "{\"type\":\"bundle\","
$fp3 = "use strict" ascii fullword
$fp4 = "\"url\":\"https://attack.mitre.org/" ascii
condition:
1 of ($s*) and not 1 of ($fp*)
}
rule Mimikatz_Memory_Rule_2 : APT {
meta:
description = "Mimikatz Rule generated from a memory dump"
author = "Florian Roth (Nextron Systems) - Florian Roth"
score = 75
date = "2014-12-22"
modified = "2023-05-19"
reference = "https://blog.gentilkiwi.com/mimikatz"
strings:
$s0 = "sekurlsa::" ascii
$x1 = "cryptprimitives.pdb" ascii
$x2 = "Now is t1O" ascii fullword
$x4 = "ALICE123" ascii
$x5 = "BOBBY456" ascii
condition:
$s0 and 1 of ($x*)
}
rule mimikatz : FILE {
meta:
description = "mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
tool_author = "Benjamin DELPY (gentilkiwi)"
modified = "2022-11-16"
id = "840a5b8c-a311-50bc-a099-6b8ab1492e12"
strings:
$exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd }
$exe_x86_2 = { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }
$exe_x64_1 = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
$exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
/*
$dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
$dll_2 = { c7 0? 10 02 00 00 ?? 89 4? }
*/
$sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
$sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
condition:
(all of ($exe_x86_*)) or (all of ($exe_x64_*))
// or (all of ($dll_*))
or (any of ($sys_*))
}
rule Mimikatz_Logfile
{
meta:
description = "Detects a log file generated by malicious hack tool mimikatz"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 80
date = "2015/03/31"
id = "921d85fc-fb4d-57ed-b4ac-203d5c6f1e8e"
strings:
$s1 = "SID :" ascii fullword
$s2 = "* NTLM :" ascii fullword
$s3 = "Authentication Id :" ascii fullword
$s4 = "wdigest :" ascii fullword
condition:
all of them
}
rule Mimikatz_Strings {
meta:
description = "Detects Mimikatz strings"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2016-06-08"
score = 65
id = "d8f63b71-c66c-5c10-9268-2d8970f7c8a1"
strings:
$x1 = "sekurlsa::logonpasswords" fullword wide ascii
$x2 = "List tickets in MIT/Heimdall ccache" fullword ascii wide
$x3 = "kuhl_m_kerberos_ptt_file ; LsaCallKerberosPackage %08x" fullword ascii wide
$x4 = "* Injecting ticket :" fullword wide ascii
$x5 = "mimidrv.sys" fullword wide ascii
$x6 = "Lists LM & NTLM credentials" fullword wide ascii
$x7 = "\\_ kerberos -" wide ascii
$x8 = "* unknow :" fullword wide ascii
$x9 = "\\_ *Password replace ->" wide ascii
$x10 = "KIWI_MSV1_0_PRIMARY_CREDENTIALS KO" ascii wide
$x11 = "\\\\.\\mimidrv" wide ascii
$x12 = "Switch to MINIDUMP :" fullword wide ascii
$x13 = "[masterkey] with password: %s (%s user)" fullword wide
$x14 = "Clear screen (doesn't work with redirections, like PsExec)" fullword wide
$x15 = "** Session key is NULL! It means allowtgtsessionkey is not set to 1 **" fullword wide
$x16 = "[masterkey] with DPAPI_SYSTEM (machine, then user): " fullword wide
condition:
(
( uint16(0) == 0x5a4d and 1 of ($x*) ) or
( 3 of them )
)
/* exclude false positives */
and not pe.imphash() == "77eaeca738dd89410a432c6bd6459907"
}
rule AppInitHook {
meta:
description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/Z292v6"
date = "2015-07-15"
score = 70
hash = "e7563e4f2a7e5f04a3486db4cefffba173349911a3c6abd7ae616d3bf08cfd45"
id = "73713011-3083-5cdf-b59c-f4da67d2d2ab"
strings:
$s0 = "\\Release\\AppInitHook.pdb" ascii
$s1 = "AppInitHook.dll" fullword ascii
$s2 = "mimikatz.exe" fullword wide
$s3 = "]X86Instruction->OperandSize >= Operand->Length" fullword wide
$s4 = "mhook\\disasm-lib\\disasm.c" fullword wide
$s5 = "mhook\\disasm-lib\\disasm_x86.c" fullword wide
$s6 = "VoidFunc" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 4 of them
}
rule HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1 {
meta:
description = "Detects Mimikatz SkeletonKey in Memory"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/sbousseaden/status/1292143504131600384?s=12"
date = "2020-08-09"
id = "e7c1c512-e944-5d87-ac57-cdc9ab7cf660"
strings:
$x1 = { 60 ba 4f ca c7 44 24 34 dc 46 6c 7a c7 44 24 38
03 3c 17 81 c7 44 24 3c 94 c0 3d f6 }
condition:
1 of them
}
rule HKTL_mimikatz_memssp_hookfn {
meta:
description = "Detects Default Mimikatz memssp module in-memory"
author = "SBousseaden"
date = "2020-08-26"
reference = "https://github.com/sbousseaden/YaraHunts/blob/master/mimikatz_memssp_hookfn.yara"
score = 70
id = "89940110-8a5e-5a28-bf64-3b568f8ef1f8"
strings:
$xc1 = { 48 81 EC A8 00 00 00 C7 84 24 88 00 00 00 ?? ??
?? ?? C7 84 24 8C 00 00 00 ?? ?? ?? ?? C7 84 24
90 00 00 00 ?? ?? ?? 00 C7 84 24 80 00 00 00 61
00 00 00 C7 44 24 40 5B 00 25 00 C7 44 24 44 30
00 38 00 C7 44 24 48 78 00 3A 00 C7 44 24 4C 25
00 30 00 C7 44 24 50 38 00 78 00 C7 44 24 54 5D
00 20 00 C7 44 24 58 25 00 77 00 C7 44 24 5C 5A
00 5C 00 C7 44 24 60 25 00 77 00 C7 44 24 64 5A
00 09 00 C7 44 24 68 25 00 77 00 C7 44 24 6C 5A
00 0A 00 C7 44 24 70 00 00 00 00 48 8D 94 24 80
00 00 00 48 8D 8C 24 88 00 00 00 48 B8 A0 7D ??
?? ?? ?? 00 00 FF D0 } // memssp creds logging function
// $xc2 = {6D 69 6D 69 C7 84 24 8C 00 00 00 6C 73 61 2E C7 84 24 90 00 00 00 6C 6F 67} - mimilsa.log
condition:
$xc1 // you can set condition to $xc1 and not $xc2 to detect non lazy memssp users
}
rule HKTL_mimikatz_icon {
meta:
description = "Detects mimikatz icon in PE file"
license = "Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License"
author = "Arnim Rupp"
reference = "https://blog.gentilkiwi.com/mimikatz"
date = "2023-02-18"
score = 60
hash1 = "61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1"
hash2 = "1c3f584164ef595a37837701739a11e17e46f9982fdcee020cf5e23bad1a0925"
hash3 = "c6bb98b24206228a54493274ff9757ce7e0cbb4ab2968af978811cc4a98fde85"
hash4 = "721d3476cdc655305902d682651fffbe72e54a97cd7e91f44d1a47606bae47ab"
hash5 = "c0f3523151fa307248b2c64bdaac5f167b19be6fccff9eba92ac363f6d5d2595"
id = "2a5ea476-a30d-5eac-b57a-3fb49386c046"
strings:
$ico = {79 e1 d7 ff 7e e5 db ff 7f e8 dc ff 85 eb dd ff ba ff f1 ff 66 a0 b6 ff 01 38 61 ff 22 50 75 c3}
condition:
uint16(0) == 0x5A4D and
$ico and
filesize < 10MB
}
rule Empire_Invoke_Mimikatz_Gen {
meta:
description = "Detects Empire component - file Invoke-Mimikatz.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
id = "1f771a17-2534-5811-80bd-bc1bab37d97c"
strings:
$s1 = "= \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ" ascii
$s2 = "Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, \"Void\", 0, \"\", $ExeArgs)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen {
meta:
description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
id = "d938aadf-6924-5964-9b5a-6bd1b817349f"
strings:
$s1 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle" fullword ascii
$s2 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule ps1_toolkit_Invoke_Mimikatz {
meta:
description = "Auto-generated rule - file Invoke-Mimikatz.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/vysec/ps1-toolkit"
date = "2016-09-04"
score = 80
hash1 = "5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8"
id = "7c0252a1-fbe4-5519-949b-285073abb21f"
strings:
$s1 = "Get-ProcAddress kernel32.dll WriteProcessMemory" fullword ascii
$s2 = "ps | where { $_.Name -eq $ProcName } | select ProcessName, Id, SessionId" fullword ascii
$s3 = "privilege::debug exit" ascii
$s4 = "Get-ProcAddress Advapi32.dll AdjustTokenPrivileges" fullword ascii
$s5 = "Invoke-Mimikatz -DumpCreds" fullword ascii
$s6 = "| Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002" fullword ascii
condition:
( uint16(0) == 0xbbef and filesize < 10000KB and 1 of them ) or ( 3 of them )
}
rule ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection {
meta:
description = "Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/vysec/ps1-toolkit"
date = "2016-09-04"
score = 80
super_rule = 1
hash1 = "5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8"
hash2 = "510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a"
id = "e9471f95-48e1-57e0-b0be-f916c574a6a7"
strings:
$s1 = "[IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])" fullword ascii
$s2 = "if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)" fullword ascii
$s3 = "[Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)" fullword ascii
$s4 = "Function Import-DllInRemoteProcess" fullword ascii
$s5 = "FromBase64String('QwBvAG4AdABpAG4AdQBlAA==')))" fullword ascii
$s6 = "[Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)" fullword ascii
$s7 = "[System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)" fullword ascii
$s8 = "[System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null" fullword ascii
$s9 = "::FromBase64String('RABvAG4AZQAhAA==')))" ascii
$s10 = "Write-Verbose \"PowerShell ProcessID: $PID\"" fullword ascii
$s11 = "[IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])" fullword ascii
condition:
( uint16(0) == 0xbbef and filesize < 10000KB and 3 of them ) or ( 6 of them )
}
rule PAExec {
meta:
description = "Detects remote access tool PAEXec (like PsExec) - file PAExec.exe"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
date = "2017-03-27"
score = 40
hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
id = "ee564534-b921-5639-a7ed-5da79d6bf86a"
strings:
$x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
$x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
$x3 = "PAExec %s - Execute Programs Remotely" fullword wide
$x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
$x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
$x6 = "%%SystemRoot%%\\%s.exe" fullword wide
$x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
$x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
condition:
(uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*)) or (3 of them)
}
rule APT_Cloaked_PsExec
{
meta:
description = "Looks like a cloaked PsExec. This may be APT group activity."
date = "2014-07-18"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
id = "e389bb76-0d1d-5e0e-9f79-a3117c919da3"
strings:
$s0 = "psexesvc.exe" wide fullword
$s1 = "Sysinternals PsExec" wide fullword
condition:
uint16(0) == 0x5a4d and $s0 and $s1
and not filename matches /(psexec.exe|PSEXESVC.EXE|PsExec64.exe)$/is
and not filepath matches /RECYCLE.BIN\\S-1/
}
rule PAExec_Cloaked {
meta:
description = "Detects a renamed remote access tool PAEXec (like PsExec)"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
date = "2017-03-27"
score = 70
hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
id = "fad8417b-bbdb-5a4e-8324-660e27cb39f8"
strings:
$x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
$x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
$x3 = "PAExec %s - Execute Programs Remotely" fullword wide
$x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
$x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
$x6 = "%%SystemRoot%%\\%s.exe" fullword wide
$x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
$x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*) )
and not filename == "paexec.exe"
and not filename == "PAExec.exe"
and not filename == "PAEXEC.EXE"
and not filename matches /Install/
and not filename matches /uninstall/
}
rule Impacket_Tools_psexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364"
id = "5e8d0964-7e6a-5ff6-b9db-e37f997c3e05"
strings:
$s1 = "impacket.examples.serviceinstall(" ascii
$s2 = "spsexec" fullword ascii
$s3 = "impacket.examples.remcomsvc(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and 2 of them )
}
rule Empire_Invoke_PsExec {
meta:
description = "Detects Empire component - file Invoke-PsExec.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
id = "19aaec3e-3e8f-5d7d-9c70-a212756c0300"
strings:
$s1 = "Invoke-PsExecCmd" fullword ascii
$s2 = "\"[*] Executing service .EXE" fullword ascii
$s3 = "$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\" ascii
condition:
( uint16(0) == 0x7566 and filesize < 50KB and 1 of them ) or all of them
}