16 lines
1.2 KiB
Plaintext
16 lines
1.2 KiB
Plaintext
|
|
rule Exploit_Win32_CVE-2020-1472_B_ibt{
|
|
meta:
|
|
description = "Exploit:Win32/CVE-2020-1472.B!ibt,SIGNATURE_TYPE_PEHSTR,06 00 06 00 06 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {6e 65 74 72 73 65 72 76 65 72 61 75 74 68 65 6e 74 69 63 61 74 65 32 3a 20 53 54 41 54 55 53 5f 4e 4f 5f 54 52 55 53 54 5f 53 41 4d 5f 41 43 43 4f 55 4e 54 } //01 00 netrserverauthenticate2: STATUS_NO_TRUST_SAM_ACCOUNT
|
|
$a_01_1 = {5a 45 52 4f 2e 45 58 45 20 49 50 20 44 43 20 44 4f 4d 41 49 4e 20 41 44 4d 49 4e 5f 55 53 45 52 4e 41 4d 45 20 5b 2d 63 5d 20 43 4f 4d 4d 41 4e 44 } //01 00 ZERO.EXE IP DC DOMAIN ADMIN_USERNAME [-c] COMMAND
|
|
$a_01_2 = {6e 63 61 63 6e 5f 69 70 5f 74 63 70 } //01 00 ncacn_ip_tcp
|
|
$a_01_3 = {44 6f 6d 61 69 6e 43 6f 6e 74 72 6f 6c 6c 65 72 49 6e 66 6f 20 6e 6f 74 20 66 6f 75 6e 64 } //01 00 DomainControllerInfo not found
|
|
$a_01_4 = {70 6f 77 65 72 73 68 65 6c 6c 2e 65 78 65 20 2d 63 20 52 65 73 65 74 2d 43 6f 6d 70 75 74 65 72 4d 61 63 68 69 6e 65 50 61 73 73 77 6f 72 64 } //01 00 powershell.exe -c Reset-ComputerMachinePassword
|
|
$a_01_5 = {73 65 72 76 65 72 20 70 61 73 73 77 64 20 73 65 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 } //00 00 server passwd set successfully
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |