/* Yara Rule Set Author: Florian Roth Date: 2015-07-10 Identifier: Pass-the-Hash-Toolkit */ /* Rule Set ----------------------------------------------------------------- */ rule whosthere_alt { meta: description = "Auto-generated rule - file whosthere-alt.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "9b4c3691872ca5adf6d312b04190c6e14dd9cbe10e94c0dd3ee874f82db897de" id = "92e98381-9142-58af-82ce-4df9eb0a0039" strings: $s0 = "WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '49.00' */ $s1 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */ $s2 = "dump output to a file, -o filename" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */ $s3 = "This tool lists the active LSA logon sessions with NTLM credentials." fullword ascii /* PEStudio Blacklist: strings */ /* score: '29.00' */ $s4 = "Error: pth.dll is not in the current directory!." fullword ascii /* score: '24.00' */ $s5 = "the output format is: username:domain:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */ $s6 = ".\\pth.dll" fullword ascii /* score: '16.00' */ $s7 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */ condition: uint16(0) == 0x5a4d and filesize < 280KB and 2 of them } rule iam_alt_iam_alt { meta: description = "Auto-generated rule - file iam-alt.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90" id = "cf8ec963-ed23-531e-8ea2-ff9f8643aa75" strings: $s0 = ". Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */ $s1 = "IAM-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '43.00' */ $s2 = "This tool allows you to change the NTLM credentials of the current logon session" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.00' */ $s3 = "username:domainname:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */ $s4 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */ $s5 = "Error: Cannot open LSASS.EXE!." fullword ascii /* score: '12.00' */ $s6 = "nthash is too long!." fullword ascii /* score: '8.00' */ $s7 = "LSASS HANDLE: %x" fullword ascii /* score: '5.00' */ condition: uint16(0) == 0x5a4d and filesize < 240KB and 2 of them } rule genhash_genhash { meta: description = "Auto-generated rule - file genhash.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "113df11063f8634f0d2a28e0b0e3c2b1f952ef95bad217fd46abff189be5373f" id = "bec3c014-df3b-5ac0-9501-9b648856e02b" strings: $s1 = "genhash.exe " fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */ $s3 = "Password: %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */ $s4 = "%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X" fullword ascii /* score: '11.00' */ $s5 = "This tool generates LM and NT hashes." fullword ascii /* score: '10.00' */ $s6 = "(hashes format: LM Hash:NT hash)" fullword ascii /* score: '10.00' */ condition: uint16(0) == 0x5a4d and filesize < 200KB and 2 of them } rule iam_iamdll { meta: description = "Auto-generated rule - file iamdll.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "892de92f71941f7b9e550de00a57767beb7abe1171562e29428b84988cee6602" id = "15e8ddac-af17-5509-b552-b4364af57c90" strings: $s0 = "LSASRV.DLL" fullword ascii /* score: '21.00' */ $s1 = "iamdll.dll" fullword ascii /* score: '21.00' */ $s2 = "ChangeCreds" fullword ascii /* score: '12.00' */ condition: uint16(0) == 0x5a4d and filesize < 115KB and all of them } rule iam_iam { meta: description = "Auto-generated rule - file iam.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "8a8fcce649259f1b670bb1d996f0d06f6649baa8eed60db79b2c16ad22d14231" id = "15e8ddac-af17-5509-b552-b4364af57c90" strings: $s1 = ". Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */ $s2 = "iam.exe -h administrator:mydomain:" ascii /* PEStudio Blacklist: strings */ /* score: '40.00' */ $s3 = "An error was encountered when trying to change the current logon credentials!." fullword ascii /* PEStudio Blacklist: strings */ /* score: '33.00' */ $s4 = "optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter." fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */ $s5 = "IAM.EXE will try to locate some memory locations instead of using hard-coded values." fullword ascii /* score: '26.00' */ $s6 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */ $s7 = "Checking LSASRV.DLL...." fullword ascii /* score: '12.00' */ condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule whosthere_alt_pth { meta: description = "Auto-generated rule - file pth.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "fbfc8e1bc69348721f06e96ff76ae92f3551f33ed3868808efdb670430ae8bd0" id = "92e98381-9142-58af-82ce-4df9eb0a0039" strings: $s0 = "c:\\debug.txt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */ $s1 = "pth.dll" fullword ascii /* score: '20.00' */ $s2 = "\"Primary\" string found at %.8Xh" fullword ascii /* score: '7.00' */ $s3 = "\"Primary\" string not found!" fullword ascii /* score: '6.00' */ $s4 = "segment 1 found at %.8Xh" fullword ascii /* score: '6.00' */ condition: uint16(0) == 0x5a4d and filesize < 240KB and 4 of them } rule whosthere { meta: description = "Auto-generated rule - file whosthere.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "d7a82204d3e511cf5af58eabdd6e9757c5dd243f9aca3999dc0e5d1603b1fa37" id = "92e98381-9142-58af-82ce-4df9eb0a0039" strings: $s1 = "by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '48.00' */ $s2 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */ $s3 = "specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSES" ascii /* PEStudio Blacklist: strings */ /* score: '28.00' */ $s4 = "Could not enable debug privileges. You must run this tool with an account with administrator privileges." fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */ $s5 = "-B is now used by default. Trying to find correct addresses.." fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */ $s6 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */ condition: uint16(0) == 0x5a4d and filesize < 320KB and 2 of them }