240 lines
9.1 KiB
Text
240 lines
9.1 KiB
Text
|
import "pe"
|
||
|
|
|
||
|
|
/* Mimikatz */
|
||
|
|
|
||
|
|
rule Mimikatz_Memory_Rule_1 : APT {
|
||
|
|
meta:
|
||
|
|
author = "Florian Roth"
|
||
|
|
date = "2014-12-22"
|
||
|
|
modified = "2023-07-04"
|
||
|
|
score = 70
|
||
|
|
nodeepdive = 1
|
||
|
|
description = "Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)"
|
||
|
|
id = "55cc7129-5ea0-5545-a8f6-b5306a014dd0"
|
||
|
|
strings:
|
||
|
|
$s1 = "sekurlsa::wdigest" fullword ascii
|
||
|
|
$s2 = "sekurlsa::logonPasswords" fullword ascii
|
||
|
|
$s3 = "sekurlsa::minidump" fullword ascii
|
||
|
|
$s4 = "sekurlsa::credman" fullword ascii
|
||
|
|
|
||
|
|
$fp1 = "\"x_mitre_version\": " ascii
|
||
|
|
$fp2 = "{\"type\":\"bundle\","
|
||
|
|
$fp3 = "use strict" ascii fullword
|
||
|
|
$fp4 = "\"url\":\"https://attack.mitre.org/" ascii
|
||
|
|
condition:
|
||
|
|
1 of ($s*) and not 1 of ($fp*)
|
||
|
|
}
|
||
|
|
|
||
|
|
/* we have much better rules now
|
||
|
|
rule Mimikatz_Memory_Rule_2 : APT {
|
||
|
|
meta:
|
||
|
|
description = "Mimikatz Rule generated from a memory dump"
|
||
|
|
author = "Florian Roth (Nextron Systems) - Florian Roth"
|
||
|
|
score = 75
|
||
|
|
date = "2014-12-22"
|
||
|
|
modified = "2023-05-19"
|
||
|
|
reference = "https://blog.gentilkiwi.com/mimikatz"
|
||
|
|
strings:
|
||
|
|
$s0 = "sekurlsa::" ascii
|
||
|
|
$x1 = "cryptprimitives.pdb" ascii
|
||
|
|
$x2 = "Now is t1O" ascii fullword
|
||
|
|
$x4 = "ALICE123" ascii
|
||
|
|
$x5 = "BOBBY456" ascii
|
||
|
|
condition:
|
||
|
|
$s0 and 1 of ($x*)
|
||
|
|
}
|
||
|
|
*/
|
||
|
|
|
||
|
|
rule mimikatz : FILE {
|
||
|
|
meta:
|
||
|
|
description = "mimikatz"
|
||
|
|
author = "Benjamin DELPY (gentilkiwi)"
|
||
|
|
tool_author = "Benjamin DELPY (gentilkiwi)"
|
||
|
|
modified = "2022-11-16"
|
||
|
|
id = "840a5b8c-a311-50bc-a099-6b8ab1492e12"
|
||
|
|
strings:
|
||
|
|
$exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd }
|
||
|
|
$exe_x86_2 = { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }
|
||
|
|
|
||
|
|
$exe_x64_1 = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
|
||
|
|
$exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
|
||
|
|
|
||
|
|
/*
|
||
|
|
$dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
|
||
|
|
$dll_2 = { c7 0? 10 02 00 00 ?? 89 4? }
|
||
|
|
*/
|
||
|
|
|
||
|
|
$sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
|
||
|
|
$sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
|
||
|
|
|
||
|
|
condition:
|
||
|
|
(all of ($exe_x86_*)) or (all of ($exe_x64_*))
|
||
|
|
// or (all of ($dll_*))
|
||
|
|
or (any of ($sys_*))
|
||
|
|
}
|
||
|
|
|
||
|
|
rule wce
|
||
|
|
{
|
||
|
|
meta:
|
||
|
|
description = "wce"
|
||
|
|
author = "Benjamin DELPY (gentilkiwi)"
|
||
|
|
tool_author = "Hernan Ochoa (hernano)"
|
||
|
|
id = "857981ee-3f57-580b-8bfd-8d2109298e27"
|
||
|
|
strings:
|
||
|
|
$hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 }
|
||
|
|
$hex_x86 = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 }
|
||
|
|
$hex_x64 = { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 }
|
||
|
|
condition:
|
||
|
|
any of them
|
||
|
|
}
|
||
|
|
|
||
|
|
rule power_pe_injection
|
||
|
|
{
|
||
|
|
meta:
|
||
|
|
description = "PowerShell with PE Reflective Injection"
|
||
|
|
author = "Benjamin DELPY (gentilkiwi)"
|
||
|
|
id = "a71fe9f2-9c2a-5650-a5c7-116b76f10db6"
|
||
|
|
strings:
|
||
|
|
$str_loadlib = "0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9"
|
||
|
|
condition:
|
||
|
|
$str_loadlib
|
||
|
|
}
|
||
|
|
|
||
|
|
rule Mimikatz_Logfile
|
||
|
|
{
|
||
|
|
meta:
|
||
|
|
description = "Detects a log file generated by malicious hack tool mimikatz"
|
||
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
|
author = "Florian Roth (Nextron Systems)"
|
||
|
|
score = 80
|
||
|
|
date = "2015/03/31"
|
||
|
|
id = "921d85fc-fb4d-57ed-b4ac-203d5c6f1e8e"
|
||
|
|
strings:
|
||
|
|
$s1 = "SID :" ascii fullword
|
||
|
|
$s2 = "* NTLM :" ascii fullword
|
||
|
|
$s3 = "Authentication Id :" ascii fullword
|
||
|
|
$s4 = "wdigest :" ascii fullword
|
||
|
|
condition:
|
||
|
|
all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
rule Mimikatz_Strings {
|
||
|
|
meta:
|
||
|
|
description = "Detects Mimikatz strings"
|
||
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
|
author = "Florian Roth (Nextron Systems)"
|
||
|
|
reference = "not set"
|
||
|
|
date = "2016-06-08"
|
||
|
|
score = 65
|
||
|
|
id = "d8f63b71-c66c-5c10-9268-2d8970f7c8a1"
|
||
|
|
strings:
|
||
|
|
$x1 = "sekurlsa::logonpasswords" fullword wide ascii
|
||
|
|
$x2 = "List tickets in MIT/Heimdall ccache" fullword ascii wide
|
||
|
|
$x3 = "kuhl_m_kerberos_ptt_file ; LsaCallKerberosPackage %08x" fullword ascii wide
|
||
|
|
$x4 = "* Injecting ticket :" fullword wide ascii
|
||
|
|
$x5 = "mimidrv.sys" fullword wide ascii
|
||
|
|
$x6 = "Lists LM & NTLM credentials" fullword wide ascii
|
||
|
|
$x7 = "\\_ kerberos -" wide ascii
|
||
|
|
$x8 = "* unknow :" fullword wide ascii
|
||
|
|
$x9 = "\\_ *Password replace ->" wide ascii
|
||
|
|
$x10 = "KIWI_MSV1_0_PRIMARY_CREDENTIALS KO" ascii wide
|
||
|
|
$x11 = "\\\\.\\mimidrv" wide ascii
|
||
|
|
$x12 = "Switch to MINIDUMP :" fullword wide ascii
|
||
|
|
$x13 = "[masterkey] with password: %s (%s user)" fullword wide
|
||
|
|
$x14 = "Clear screen (doesn't work with redirections, like PsExec)" fullword wide
|
||
|
|
$x15 = "** Session key is NULL! It means allowtgtsessionkey is not set to 1 **" fullword wide
|
||
|
|
$x16 = "[masterkey] with DPAPI_SYSTEM (machine, then user): " fullword wide
|
||
|
|
condition:
|
||
|
|
(
|
||
|
|
( uint16(0) == 0x5a4d and 1 of ($x*) ) or
|
||
|
|
( 3 of them )
|
||
|
|
)
|
||
|
|
/* exclude false positives */
|
||
|
|
and not pe.imphash() == "77eaeca738dd89410a432c6bd6459907"
|
||
|
|
}
|
||
|
|
|
||
|
|
rule AppInitHook {
|
||
|
|
meta:
|
||
|
|
description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll"
|
||
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
|
author = "Florian Roth (Nextron Systems)"
|
||
|
|
reference = "https://goo.gl/Z292v6"
|
||
|
|
date = "2015-07-15"
|
||
|
|
score = 70
|
||
|
|
hash = "e7563e4f2a7e5f04a3486db4cefffba173349911a3c6abd7ae616d3bf08cfd45"
|
||
|
|
id = "73713011-3083-5cdf-b59c-f4da67d2d2ab"
|
||
|
|
strings:
|
||
|
|
$s0 = "\\Release\\AppInitHook.pdb" ascii
|
||
|
|
$s1 = "AppInitHook.dll" fullword ascii
|
||
|
|
$s2 = "mimikatz.exe" fullword wide
|
||
|
|
$s3 = "]X86Instruction->OperandSize >= Operand->Length" fullword wide
|
||
|
|
$s4 = "mhook\\disasm-lib\\disasm.c" fullword wide
|
||
|
|
$s5 = "mhook\\disasm-lib\\disasm_x86.c" fullword wide
|
||
|
|
$s6 = "VoidFunc" fullword ascii
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 500KB and 4 of them
|
||
|
|
}
|
||
|
|
|
||
|
|
rule HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1 {
|
||
|
|
meta:
|
||
|
|
description = "Detects Mimikatz SkeletonKey in Memory"
|
||
|
|
author = "Florian Roth (Nextron Systems)"
|
||
|
|
reference = "https://twitter.com/sbousseaden/status/1292143504131600384?s=12"
|
||
|
|
date = "2020-08-09"
|
||
|
|
id = "e7c1c512-e944-5d87-ac57-cdc9ab7cf660"
|
||
|
|
strings:
|
||
|
|
$x1 = { 60 ba 4f ca c7 44 24 34 dc 46 6c 7a c7 44 24 38
|
||
|
|
03 3c 17 81 c7 44 24 3c 94 c0 3d f6 }
|
||
|
|
condition:
|
||
|
|
1 of them
|
||
|
|
}
|
||
|
|
|
||
|
|
rule HKTL_mimikatz_memssp_hookfn {
|
||
|
|
meta:
|
||
|
|
description = "Detects Default Mimikatz memssp module in-memory"
|
||
|
|
author = "SBousseaden"
|
||
|
|
date = "2020-08-26"
|
||
|
|
reference = "https://github.com/sbousseaden/YaraHunts/blob/master/mimikatz_memssp_hookfn.yara"
|
||
|
|
score = 70
|
||
|
|
id = "89940110-8a5e-5a28-bf64-3b568f8ef1f8"
|
||
|
|
strings:
|
||
|
|
$xc1 = { 48 81 EC A8 00 00 00 C7 84 24 88 00 00 00 ?? ??
|
||
|
|
?? ?? C7 84 24 8C 00 00 00 ?? ?? ?? ?? C7 84 24
|
||
|
|
90 00 00 00 ?? ?? ?? 00 C7 84 24 80 00 00 00 61
|
||
|
|
00 00 00 C7 44 24 40 5B 00 25 00 C7 44 24 44 30
|
||
|
|
00 38 00 C7 44 24 48 78 00 3A 00 C7 44 24 4C 25
|
||
|
|
00 30 00 C7 44 24 50 38 00 78 00 C7 44 24 54 5D
|
||
|
|
00 20 00 C7 44 24 58 25 00 77 00 C7 44 24 5C 5A
|
||
|
|
00 5C 00 C7 44 24 60 25 00 77 00 C7 44 24 64 5A
|
||
|
|
00 09 00 C7 44 24 68 25 00 77 00 C7 44 24 6C 5A
|
||
|
|
00 0A 00 C7 44 24 70 00 00 00 00 48 8D 94 24 80
|
||
|
|
00 00 00 48 8D 8C 24 88 00 00 00 48 B8 A0 7D ??
|
||
|
|
?? ?? ?? 00 00 FF D0 } // memssp creds logging function
|
||
|
|
// $xc2 = {6D 69 6D 69 C7 84 24 8C 00 00 00 6C 73 61 2E C7 84 24 90 00 00 00 6C 6F 67} - mimilsa.log
|
||
|
|
condition:
|
||
|
|
$xc1 // you can set condition to $xc1 and not $xc2 to detect non lazy memssp users
|
||
|
|
}
|
||
|
|
|
||
|
|
rule HKTL_mimikatz_icon {
|
||
|
|
meta:
|
||
|
|
description = "Detects mimikatz icon in PE file"
|
||
|
|
license = "Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License"
|
||
|
|
author = "Arnim Rupp"
|
||
|
|
reference = "https://blog.gentilkiwi.com/mimikatz"
|
||
|
|
date = "2023-02-18"
|
||
|
|
score = 60
|
||
|
|
hash1 = "61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1"
|
||
|
|
hash2 = "1c3f584164ef595a37837701739a11e17e46f9982fdcee020cf5e23bad1a0925"
|
||
|
|
hash3 = "c6bb98b24206228a54493274ff9757ce7e0cbb4ab2968af978811cc4a98fde85"
|
||
|
|
hash4 = "721d3476cdc655305902d682651fffbe72e54a97cd7e91f44d1a47606bae47ab"
|
||
|
|
hash5 = "c0f3523151fa307248b2c64bdaac5f167b19be6fccff9eba92ac363f6d5d2595"
|
||
|
|
id = "2a5ea476-a30d-5eac-b57a-3fb49386c046"
|
||
|
|
strings:
|
||
|
|
$ico = {79 e1 d7 ff 7e e5 db ff 7f e8 dc ff 85 eb dd ff ba ff f1 ff 66 a0 b6 ff 01 38 61 ff 22 50 75 c3}
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5A4D and
|
||
|
|
$ico and
|
||
|
|
filesize < 10MB
|
||
|
|
}
|
||
|
|
|