Sneed-Reactivity/yara-Neo23x0/gen_hktl_koh_tokenstealer.yar

18 lines
707 B
Text
Raw Normal View History

rule HKTL_Koh_TokenStealer
{
meta:
description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project."
author = "Will Schroeder (@harmj0y)"
reference = "https://github.com/GhostPack/Koh"
id = "76b6cc9f-5db7-5e9b-939c-e713bad8137a"
strings:
$x_typelibguid = "4d5350c8-7f8c-47cf-8cde-c752018af17e" ascii
$s1 = "[*] Already SYSTEM, not elevating" wide fullword
$s2 = "S-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{2}" wide
$s3 = "0x[0-9A-Fa-f]+$" wide
$s4 = "\\Koh.pdb" ascii
condition:
uint16(0) == 0x5A4D and 1 of ($x*) or 3 of them
}