Sneed-Reactivity/yara-Neo23x0/apt_passthehashtoolkit.yar

157 lines
8.8 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2015-07-10
Identifier: Pass-the-Hash-Toolkit
*/
/* Rule Set ----------------------------------------------------------------- */
rule whosthere_alt {
meta:
description = "Auto-generated rule - file whosthere-alt.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "9b4c3691872ca5adf6d312b04190c6e14dd9cbe10e94c0dd3ee874f82db897de"
id = "92e98381-9142-58af-82ce-4df9eb0a0039"
strings:
$s0 = "WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '49.00' */
$s1 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */
$s2 = "dump output to a file, -o filename" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
$s3 = "This tool lists the active LSA logon sessions with NTLM credentials." fullword ascii /* PEStudio Blacklist: strings */ /* score: '29.00' */
$s4 = "Error: pth.dll is not in the current directory!." fullword ascii /* score: '24.00' */
$s5 = "the output format is: username:domain:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */
$s6 = ".\\pth.dll" fullword ascii /* score: '16.00' */
$s7 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */
condition:
uint16(0) == 0x5a4d and filesize < 280KB and 2 of them
}
rule iam_alt_iam_alt {
meta:
description = "Auto-generated rule - file iam-alt.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90"
id = "cf8ec963-ed23-531e-8ea2-ff9f8643aa75"
strings:
$s0 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */
$s1 = "IAM-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '43.00' */
$s2 = "This tool allows you to change the NTLM credentials of the current logon session" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.00' */
$s3 = "username:domainname:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
$s4 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */
$s5 = "Error: Cannot open LSASS.EXE!." fullword ascii /* score: '12.00' */
$s6 = "nthash is too long!." fullword ascii /* score: '8.00' */
$s7 = "LSASS HANDLE: %x" fullword ascii /* score: '5.00' */
condition:
uint16(0) == 0x5a4d and filesize < 240KB and 2 of them
}
rule genhash_genhash {
meta:
description = "Auto-generated rule - file genhash.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "113df11063f8634f0d2a28e0b0e3c2b1f952ef95bad217fd46abff189be5373f"
id = "bec3c014-df3b-5ac0-9501-9b648856e02b"
strings:
$s1 = "genhash.exe <password>" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
$s3 = "Password: %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */
$s4 = "%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X" fullword ascii /* score: '11.00' */
$s5 = "This tool generates LM and NT hashes." fullword ascii /* score: '10.00' */
$s6 = "(hashes format: LM Hash:NT hash)" fullword ascii /* score: '10.00' */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
}
rule iam_iamdll {
meta:
description = "Auto-generated rule - file iamdll.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "892de92f71941f7b9e550de00a57767beb7abe1171562e29428b84988cee6602"
id = "15e8ddac-af17-5509-b552-b4364af57c90"
strings:
$s0 = "LSASRV.DLL" fullword ascii /* score: '21.00' */
$s1 = "iamdll.dll" fullword ascii /* score: '21.00' */
$s2 = "ChangeCreds" fullword ascii /* score: '12.00' */
condition:
uint16(0) == 0x5a4d and filesize < 115KB and all of them
}
rule iam_iam {
meta:
description = "Auto-generated rule - file iam.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "8a8fcce649259f1b670bb1d996f0d06f6649baa8eed60db79b2c16ad22d14231"
id = "15e8ddac-af17-5509-b552-b4364af57c90"
strings:
$s1 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */
$s2 = "iam.exe -h administrator:mydomain:" ascii /* PEStudio Blacklist: strings */ /* score: '40.00' */
$s3 = "An error was encountered when trying to change the current logon credentials!." fullword ascii /* PEStudio Blacklist: strings */ /* score: '33.00' */
$s4 = "optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter." fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
$s5 = "IAM.EXE will try to locate some memory locations instead of using hard-coded values." fullword ascii /* score: '26.00' */
$s6 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */
$s7 = "Checking LSASRV.DLL...." fullword ascii /* score: '12.00' */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule whosthere_alt_pth {
meta:
description = "Auto-generated rule - file pth.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "fbfc8e1bc69348721f06e96ff76ae92f3551f33ed3868808efdb670430ae8bd0"
id = "92e98381-9142-58af-82ce-4df9eb0a0039"
strings:
$s0 = "c:\\debug.txt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */
$s1 = "pth.dll" fullword ascii /* score: '20.00' */
$s2 = "\"Primary\" string found at %.8Xh" fullword ascii /* score: '7.00' */
$s3 = "\"Primary\" string not found!" fullword ascii /* score: '6.00' */
$s4 = "segment 1 found at %.8Xh" fullword ascii /* score: '6.00' */
condition:
uint16(0) == 0x5a4d and filesize < 240KB and 4 of them
}
rule whosthere {
meta:
description = "Auto-generated rule - file whosthere.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "d7a82204d3e511cf5af58eabdd6e9757c5dd243f9aca3999dc0e5d1603b1fa37"
id = "92e98381-9142-58af-82ce-4df9eb0a0039"
strings:
$s1 = "by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '48.00' */
$s2 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */
$s3 = "specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSES" ascii /* PEStudio Blacklist: strings */ /* score: '28.00' */
$s4 = "Could not enable debug privileges. You must run this tool with an account with administrator privileges." fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */
$s5 = "-B is now used by default. Trying to find correct addresses.." fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
$s6 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */
condition:
uint16(0) == 0x5a4d and filesize < 320KB and 2 of them
}