qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/HackTool/Win32/Wincred/HackTool_Win32_Wincred_H.yar

15 lines
774 B
Plaintext
Raw Permalink Blame History

rule HackTool_Win32_Wincred_H{
meta:
description = "HackTool:Win32/Wincred.H,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 05 00 00 01 00 "
strings :
$a_01_0 = {57 43 45 53 45 52 56 49 43 45 00 } //01 00
$a_01_1 = {28 57 69 6e 64 6f 77 73 20 43 72 65 64 65 6e 74 69 61 6c 73 20 45 64 69 74 6f 72 29 } //01 00 (Windows Credentials Editor)
$a_01_2 = {55 73 69 6e 67 20 57 43 45 20 57 69 6e 64 6f 77 73 20 53 65 72 76 69 63 65 2e 2e 2e } //01 00 Using WCE Windows Service...
$a_01_3 = {73 6f 6d 65 74 68 69 6e 67 20 74 65 72 72 69 62 6c 65 20 68 61 70 70 65 6e 65 64 21 } //01 00 something terrible happened!
$a_01_4 = {43 61 6e 6e 6f 74 20 67 65 74 20 4c 53 41 53 53 2e 45 58 45 20 50 49 44 21 } //00 00 Cannot get LSASS.EXE PID!
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink