30 lines
901 B
Text
30 lines
901 B
Text
|
/*
|
||
|
This rule attempts to find passwords in memory for hotmail, yahoo, gmail, facebook, amazon, twitter.com, linkedin.com, ebay.com and perhaps others.
|
||
|
|
||
|
Use with volatility yarascan like this: "vol.py -f mymem.img --profile=myprofile yarascan --yara-file=browserpass.yar"
|
||
|
*/
|
||
|
|
||
|
rule browser_pass
|
||
|
{
|
||
|
meta:
|
||
|
author = "swood"
|
||
|
description = "This module is intended for forensicators and pen-testers to find passwords in memory that can help their case/engagement."
|
||
|
//Use for good not evil!"
|
||
|
reference = "https://github.com/swoodsec/YARA-RULES/blob/master/browserpass.yar"
|
||
|
|
||
|
strings:
|
||
|
$1 = "Passwd="
|
||
|
$2 = "passwd="
|
||
|
$3 = "Password="
|
||
|
$4 = "password="
|
||
|
$5 = "Pwd="
|
||
|
$6 = "pwd="
|
||
|
$7 = "Pass="
|
||
|
$8 = "pass="
|
||
|
$9 = "session_password="
|
||
|
$10 = "Session_Password="
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|