13 lines
1.1 KiB
Plaintext
13 lines
1.1 KiB
Plaintext
|
|
rule HackTool_Win32_LSASSPatcher_A{
|
|
meta:
|
|
description = "HackTool:Win32/LSASSPatcher.A,SIGNATURE_TYPE_PEHSTR,03 00 03 00 03 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {4f 00 66 00 66 00 73 00 65 00 74 00 20 00 6f 00 66 00 20 00 67 00 5f 00 66 00 50 00 61 00 72 00 61 00 6d 00 65 00 74 00 65 00 72 00 5f 00 55 00 73 00 65 00 4c 00 6f 00 67 00 6f 00 6e 00 43 00 72 00 65 00 64 00 65 00 6e 00 74 00 69 00 61 00 6c 00 3a 00 20 00 30 00 78 00 25 00 30 00 38 00 78 00 } //1 Offset of g_fParameter_UseLogonCredential: 0x%08x
|
|
$a_01_1 = {4f 00 66 00 66 00 73 00 65 00 74 00 20 00 6f 00 66 00 20 00 67 00 5f 00 49 00 73 00 43 00 72 00 65 00 64 00 47 00 75 00 61 00 72 00 64 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3a 00 20 00 30 00 78 00 25 00 30 00 38 00 78 00 } //1 Offset of g_IsCredGuardEnabled: 0x%08x
|
|
$a_01_2 = {42 00 61 00 73 00 65 00 20 00 61 00 64 00 64 00 72 00 65 00 73 00 73 00 20 00 6f 00 66 00 20 00 77 00 64 00 69 00 67 00 65 00 73 00 74 00 2e 00 64 00 6c 00 6c 00 3a 00 20 00 30 00 78 00 25 00 30 00 31 00 36 00 70 00 } //1 Base address of wdigest.dll: 0x%016p
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1) >=3
|
|
|
|
} |