15 lines
1.2 KiB
Plaintext
15 lines
1.2 KiB
Plaintext
|
|
rule HackTool_Win32_DumpLsass_F{
|
|
meta:
|
|
description = "HackTool:Win32/DumpLsass.F,SIGNATURE_TYPE_CMDHSTR_EXT,69 00 14 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //-20 \ProgramData\Microsoft\AzureWatson\0\procdump
|
|
$a_02_1 = {2d 00 6a 00 20 00 [0-04] 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 } //-20
|
|
$a_00_2 = {73 00 69 00 67 00 63 00 68 00 65 00 63 00 6b 00 36 00 34 00 2e 00 65 00 78 00 65 00 } //-20 sigcheck64.exe
|
|
$a_00_3 = {2d 00 61 00 63 00 63 00 65 00 70 00 74 00 65 00 75 00 6c 00 61 00 } //10 -accepteula
|
|
$a_00_4 = {6c 00 73 00 61 00 73 00 73 00 } //10 lsass
|
|
condition:
|
|
((#a_00_0 & 1)*-20+(#a_02_1 & 1)*-20+(#a_00_2 & 1)*-20+(#a_00_3 & 1)*10+(#a_00_4 & 1)*10) >=20
|
|
|
|
} |