-
Notifications
You must be signed in to change notification settings - Fork 1
/
TOOLKIT_PassTheHash.yar
136 lines (129 loc) · 7.75 KB
/
TOOLKIT_PassTheHash.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule whosthere_alt : Toolkit {
meta:
description = "Auto-generated rule - file whosthere-alt.exe"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "9b4c3691872ca5adf6d312b04190c6e14dd9cbe10e94c0dd3ee874f82db897de"
strings:
$s0 = "WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '49.00' */
$s1 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */
$s2 = "dump output to a file, -o filename" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
$s3 = "This tool lists the active LSA logon sessions with NTLM credentials." fullword ascii /* PEStudio Blacklist: strings */ /* score: '29.00' */
$s4 = "Error: pth.dll is not in the current directory!." fullword ascii /* score: '24.00' */
$s5 = "the output format is: username:domain:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */
$s6 = ".\\pth.dll" fullword ascii /* score: '16.00' */
$s7 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */
condition:
uint16(0) == 0x5a4d and filesize < 280KB and 2 of them
}
rule iam_alt_iam_alt : Toolkit {
meta:
description = "Auto-generated rule - file iam-alt.exe"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90"
strings:
$s0 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */
$s1 = "IAM-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '43.00' */
$s2 = "This tool allows you to change the NTLM credentials of the current logon session" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.00' */
$s3 = "username:domainname:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
$s4 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */
$s5 = "Error: Cannot open LSASS.EXE!." fullword ascii /* score: '12.00' */
$s6 = "nthash is too long!." fullword ascii /* score: '8.00' */
$s7 = "LSASS HANDLE: %x" fullword ascii /* score: '5.00' */
condition:
uint16(0) == 0x5a4d and filesize < 240KB and 2 of them
}
rule genhash_genhash : Toolkit {
meta:
description = "Auto-generated rule - file genhash.exe"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "113df11063f8634f0d2a28e0b0e3c2b1f952ef95bad217fd46abff189be5373f"
strings:
$s1 = "genhash.exe <password>" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
$s3 = "Password: %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */
$s4 = "%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X" fullword ascii /* score: '11.00' */
$s5 = "This tool generates LM and NT hashes." fullword ascii /* score: '10.00' */
$s6 = "(hashes format: LM Hash:NT hash)" fullword ascii /* score: '10.00' */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
}
rule iam_iamdll : Toolkit {
meta:
description = "Auto-generated rule - file iamdll.dll"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "892de92f71941f7b9e550de00a57767beb7abe1171562e29428b84988cee6602"
strings:
$s0 = "LSASRV.DLL" fullword ascii /* score: '21.00' */
$s1 = "iamdll.dll" fullword ascii /* score: '21.00' */
$s2 = "ChangeCreds" fullword ascii /* score: '12.00' */
condition:
uint16(0) == 0x5a4d and filesize < 115KB and all of them
}
rule iam_iam : Toolkit {
meta:
description = "Auto-generated rule - file iam.exe"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "8a8fcce649259f1b670bb1d996f0d06f6649baa8eed60db79b2c16ad22d14231"
strings:
$s1 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */
$s2 = "iam.exe -h administrator:mydomain:" ascii /* PEStudio Blacklist: strings */ /* score: '40.00' */
$s3 = "An error was encountered when trying to change the current logon credentials!." fullword ascii /* PEStudio Blacklist: strings */ /* score: '33.00' */
$s4 = "optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter." fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
$s5 = "IAM.EXE will try to locate some memory locations instead of using hard-coded values." fullword ascii /* score: '26.00' */
$s6 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */
$s7 = "Checking LSASRV.DLL...." fullword ascii /* score: '12.00' */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule whosthere_alt_pth : Toolkit {
meta:
description = "Auto-generated rule - file pth.dll"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "fbfc8e1bc69348721f06e96ff76ae92f3551f33ed3868808efdb670430ae8bd0"
strings:
$s0 = "c:\\debug.txt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */
$s1 = "pth.dll" fullword ascii /* score: '20.00' */
$s2 = "\"Primary\" string found at %.8Xh" fullword ascii /* score: '7.00' */
$s3 = "\"Primary\" string not found!" fullword ascii /* score: '6.00' */
$s4 = "segment 1 found at %.8Xh" fullword ascii /* score: '6.00' */
condition:
uint16(0) == 0x5a4d and filesize < 240KB and 4 of them
}
rule whosthere : Toolkit {
meta:
description = "Auto-generated rule - file whosthere.exe"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
score = 80
hash = "d7a82204d3e511cf5af58eabdd6e9757c5dd243f9aca3999dc0e5d1603b1fa37"
strings:
$s1 = "by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '48.00' */
$s2 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */
$s3 = "specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSES" ascii /* PEStudio Blacklist: strings */ /* score: '28.00' */
$s4 = "Could not enable debug privileges. You must run this tool with an account with administrator privileges." fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */
$s5 = "-B is now used by default. Trying to find correct addresses.." fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
$s6 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */
condition:
uint16(0) == 0x5a4d and filesize < 320KB and 2 of them
}