Yara Rule - 메모리에서 비밀번호 덤퍼 Mimikatz 감지 (False Ponitives : Mimikatz 실행 파일, AV 서명을 복사 할 수있는 서비스)

allmnet · 7월 30, 2023, 11:41오후

Yara Rule - 메모리에서 비밀번호 덤퍼 Mimikatz 감지 (False Ponitives : Mimikatz 실행 파일, AV 서명을 복사 할 수있는 서비스)

Yara 정의.

Yara Rule - Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)

Yara definition.

Author: Florian Roth

https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

modified = "2023-07-26"
md5_1 = "0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8"
md5_2 = "0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b"
md5_3 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
$s3 = "mimilove" fullword ascii wide
$fp1 = "SgrmEnclave" wide
$fp2 = "Kaspersky Lab Anti-Rootkit Monitor Driver" wide
uint16(0) == 0x5a4d and filesize < 800KB and /* Added by Florian Roth to avoid false positives */
date = "2023-07-18"
modified = "2023-07-21"
score = 70
$sa1 = "216.41.162.172" ascii fullword
$sb1 = "/flash/nsconfig/keys" ascii
$sb2 = "ldapsearch" ascii fullword
$sb3 = "ns_gui/vpn" ascii
$sb4 = "LDAPTLS_REQCERT" ascii fullword
filepath == "/var/log"
old_rule_name = "EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22"
date = "2022-04-08"
modified = "2023-04-28"
score = 70
$x1 = "66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28" ascii
$x2 = "${\"freemarker.template.utility.Execute\"?new()("
$x3 = "cat /etc/passwd\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute"
$x4 = "cat /etc/passwd\\\")).(#execute=#instancemanager.newInstance(\\\"freemarker.template.utility.Execute"
$x5 = "cat /etc/shadow\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute"
$x6 = "cat /etc/shadow\\\")).(#execute=#instancemanager.newInstance(\\\"freemarker.template.utility.Execute"
date = "2014-12-22"
modified = "2023-07-04"
score = 70
nodeepdive = 1
$fp1 = "\"x_mitre_version\": " ascii
$fp2 = "{\"type\":\"bundle\","
$fp3 = "use strict" ascii fullword
$fp4 = "\"url\":\"https://attack.mitre.org/" ascii
date = "2023-05-05"
modified = "2023-07-28"
score = 50
hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
$a1 = "\\ProcExpDriver.pdb" ascii```


[https://github.com/Neo23x0/signature-base/commit/8f3310af33f17797020648bfeede27033009316d](https://github.com/Neo23x0/signature-base/commit/8f3310af33f17797020648bfeede27033009316d)