import "pe" /* Mimikatz */ rule Mimikatz_Memory_Rule_1 : APT { meta: author = "Florian Roth" date = "2014-12-22" modified = "2023-07-04" score = 70 nodeepdive = 1 description = "Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)" id = "55cc7129-5ea0-5545-a8f6-b5306a014dd0" strings: $s1 = "sekurlsa::wdigest" fullword ascii $s2 = "sekurlsa::logonPasswords" fullword ascii $s3 = "sekurlsa::minidump" fullword ascii $s4 = "sekurlsa::credman" fullword ascii $fp1 = "\"x_mitre_version\": " ascii $fp2 = "{\"type\":\"bundle\"," $fp3 = "use strict" ascii fullword $fp4 = "\"url\":\"https://attack.mitre.org/" ascii condition: 1 of ($s*) and not 1 of ($fp*) } /* we have much better rules now rule Mimikatz_Memory_Rule_2 : APT { meta: description = "Mimikatz Rule generated from a memory dump" author = "Florian Roth (Nextron Systems) - Florian Roth" score = 75 date = "2014-12-22" modified = "2023-05-19" reference = "https://blog.gentilkiwi.com/mimikatz" strings: $s0 = "sekurlsa::" ascii $x1 = "cryptprimitives.pdb" ascii $x2 = "Now is t1O" ascii fullword $x4 = "ALICE123" ascii $x5 = "BOBBY456" ascii condition: $s0 and 1 of ($x*) } */ rule mimikatz : FILE { meta: description = "mimikatz" author = "Benjamin DELPY (gentilkiwi)" tool_author = "Benjamin DELPY (gentilkiwi)" modified = "2022-11-16" id = "840a5b8c-a311-50bc-a099-6b8ab1492e12" strings: $exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd } $exe_x86_2 = { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 } $exe_x64_1 = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74} $exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 } /* $dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 } $dll_2 = { c7 0? 10 02 00 00 ?? 89 4? } */ $sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 } $sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 } condition: (all of ($exe_x86_*)) or (all of ($exe_x64_*)) // or (all of ($dll_*)) or (any of ($sys_*)) } rule wce { meta: description = "wce" author = "Benjamin DELPY (gentilkiwi)" tool_author = "Hernan Ochoa (hernano)" id = "857981ee-3f57-580b-8bfd-8d2109298e27" strings: $hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 } $hex_x86 = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 } $hex_x64 = { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 } condition: any of them } rule power_pe_injection { meta: description = "PowerShell with PE Reflective Injection" author = "Benjamin DELPY (gentilkiwi)" id = "a71fe9f2-9c2a-5650-a5c7-116b76f10db6" strings: $str_loadlib = "0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9" condition: $str_loadlib } rule Mimikatz_Logfile { meta: description = "Detects a log file generated by malicious hack tool mimikatz" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" score = 80 date = "2015/03/31" id = "921d85fc-fb4d-57ed-b4ac-203d5c6f1e8e" strings: $s1 = "SID :" ascii fullword $s2 = "* NTLM :" ascii fullword $s3 = "Authentication Id :" ascii fullword $s4 = "wdigest :" ascii fullword condition: all of them } rule Mimikatz_Strings { meta: description = "Detects Mimikatz strings" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "not set" date = "2016-06-08" score = 65 id = "d8f63b71-c66c-5c10-9268-2d8970f7c8a1" strings: $x1 = "sekurlsa::logonpasswords" fullword wide ascii $x2 = "List tickets in MIT/Heimdall ccache" fullword ascii wide $x3 = "kuhl_m_kerberos_ptt_file ; LsaCallKerberosPackage %08x" fullword ascii wide $x4 = "* Injecting ticket :" fullword wide ascii $x5 = "mimidrv.sys" fullword wide ascii $x6 = "Lists LM & NTLM credentials" fullword wide ascii $x7 = "\\_ kerberos -" wide ascii $x8 = "* unknow :" fullword wide ascii $x9 = "\\_ *Password replace ->" wide ascii $x10 = "KIWI_MSV1_0_PRIMARY_CREDENTIALS KO" ascii wide $x11 = "\\\\.\\mimidrv" wide ascii $x12 = "Switch to MINIDUMP :" fullword wide ascii $x13 = "[masterkey] with password: %s (%s user)" fullword wide $x14 = "Clear screen (doesn't work with redirections, like PsExec)" fullword wide $x15 = "** Session key is NULL! It means allowtgtsessionkey is not set to 1 **" fullword wide $x16 = "[masterkey] with DPAPI_SYSTEM (machine, then user): " fullword wide condition: ( ( uint16(0) == 0x5a4d and 1 of ($x*) ) or ( 3 of them ) ) /* exclude false positives */ and not pe.imphash() == "77eaeca738dd89410a432c6bd6459907" } rule AppInitHook { meta: description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://goo.gl/Z292v6" date = "2015-07-15" score = 70 hash = "e7563e4f2a7e5f04a3486db4cefffba173349911a3c6abd7ae616d3bf08cfd45" id = "73713011-3083-5cdf-b59c-f4da67d2d2ab" strings: $s0 = "\\Release\\AppInitHook.pdb" ascii $s1 = "AppInitHook.dll" fullword ascii $s2 = "mimikatz.exe" fullword wide $s3 = "]X86Instruction->OperandSize >= Operand->Length" fullword wide $s4 = "mhook\\disasm-lib\\disasm.c" fullword wide $s5 = "mhook\\disasm-lib\\disasm_x86.c" fullword wide $s6 = "VoidFunc" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 500KB and 4 of them } rule HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1 { meta: description = "Detects Mimikatz SkeletonKey in Memory" author = "Florian Roth (Nextron Systems)" reference = "https://twitter.com/sbousseaden/status/1292143504131600384?s=12" date = "2020-08-09" id = "e7c1c512-e944-5d87-ac57-cdc9ab7cf660" strings: $x1 = { 60 ba 4f ca c7 44 24 34 dc 46 6c 7a c7 44 24 38 03 3c 17 81 c7 44 24 3c 94 c0 3d f6 } condition: 1 of them } rule HKTL_mimikatz_memssp_hookfn { meta: description = "Detects Default Mimikatz memssp module in-memory" author = "SBousseaden" date = "2020-08-26" reference = "https://github.com/sbousseaden/YaraHunts/blob/master/mimikatz_memssp_hookfn.yara" score = 70 id = "89940110-8a5e-5a28-bf64-3b568f8ef1f8" strings: $xc1 = { 48 81 EC A8 00 00 00 C7 84 24 88 00 00 00 ?? ?? ?? ?? C7 84 24 8C 00 00 00 ?? ?? ?? ?? C7 84 24 90 00 00 00 ?? ?? ?? 00 C7 84 24 80 00 00 00 61 00 00 00 C7 44 24 40 5B 00 25 00 C7 44 24 44 30 00 38 00 C7 44 24 48 78 00 3A 00 C7 44 24 4C 25 00 30 00 C7 44 24 50 38 00 78 00 C7 44 24 54 5D 00 20 00 C7 44 24 58 25 00 77 00 C7 44 24 5C 5A 00 5C 00 C7 44 24 60 25 00 77 00 C7 44 24 64 5A 00 09 00 C7 44 24 68 25 00 77 00 C7 44 24 6C 5A 00 0A 00 C7 44 24 70 00 00 00 00 48 8D 94 24 80 00 00 00 48 8D 8C 24 88 00 00 00 48 B8 A0 7D ?? ?? ?? ?? 00 00 FF D0 } // memssp creds logging function // $xc2 = {6D 69 6D 69 C7 84 24 8C 00 00 00 6C 73 61 2E C7 84 24 90 00 00 00 6C 6F 67} - mimilsa.log condition: $xc1 // you can set condition to $xc1 and not $xc2 to detect non lazy memssp users } rule HKTL_mimikatz_icon { meta: description = "Detects mimikatz icon in PE file" license = "Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License" author = "Arnim Rupp" reference = "https://blog.gentilkiwi.com/mimikatz" date = "2023-02-18" score = 60 hash1 = "61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1" hash2 = "1c3f584164ef595a37837701739a11e17e46f9982fdcee020cf5e23bad1a0925" hash3 = "c6bb98b24206228a54493274ff9757ce7e0cbb4ab2968af978811cc4a98fde85" hash4 = "721d3476cdc655305902d682651fffbe72e54a97cd7e91f44d1a47606bae47ab" hash5 = "c0f3523151fa307248b2c64bdaac5f167b19be6fccff9eba92ac363f6d5d2595" id = "2a5ea476-a30d-5eac-b57a-3fb49386c046" strings: $ico = {79 e1 d7 ff 7e e5 db ff 7f e8 dc ff 85 eb dd ff ba ff f1 ff 66 a0 b6 ff 01 38 61 ff 22 50 75 c3} condition: uint16(0) == 0x5A4D and $ico and filesize < 10MB }