18 lines
No EOL
707 B
Text
18 lines
No EOL
707 B
Text
|
|
rule HKTL_Koh_TokenStealer
|
|
{
|
|
meta:
|
|
description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project."
|
|
author = "Will Schroeder (@harmj0y)"
|
|
reference = "https://github.com/GhostPack/Koh"
|
|
id = "76b6cc9f-5db7-5e9b-939c-e713bad8137a"
|
|
strings:
|
|
$x_typelibguid = "4d5350c8-7f8c-47cf-8cde-c752018af17e" ascii
|
|
|
|
$s1 = "[*] Already SYSTEM, not elevating" wide fullword
|
|
$s2 = "S-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{2}" wide
|
|
$s3 = "0x[0-9A-Fa-f]+$" wide
|
|
$s4 = "\\Koh.pdb" ascii
|
|
condition:
|
|
uint16(0) == 0x5A4D and 1 of ($x*) or 3 of them
|
|
} |