15 lines
1.4 KiB
Plaintext
15 lines
1.4 KiB
Plaintext
|
|
rule Exploit_Win64_CVE-2020-1472_B_dha{
|
|
meta:
|
|
description = "Exploit:Win64/CVE-2020-1472.B!dha,SIGNATURE_TYPE_PEHSTR,04 00 04 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {25 00 73 00 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 6e 00 62 00 74 00 73 00 74 00 61 00 74 00 2e 00 65 00 78 00 65 00 } //1 %s\system32\nbtstat.exe
|
|
$a_01_1 = {70 00 6f 00 77 00 65 00 72 00 73 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 20 00 2d 00 63 00 20 00 52 00 65 00 73 00 65 00 74 00 2d 00 43 00 6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 4d 00 61 00 63 00 68 00 69 00 6e 00 65 00 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 } //1 powershell.exe -c Reset-ComputerMachinePassword
|
|
$a_01_2 = {5a 45 52 4f 2e 45 58 45 20 49 50 20 44 43 20 44 4f 4d 41 49 4e } //2 ZERO.EXE IP DC DOMAIN
|
|
$a_01_3 = {74 6f 20 74 65 73 74 20 69 66 20 74 68 65 20 74 61 72 67 65 74 20 69 73 20 76 75 6c 6e 75 72 61 62 6c 65 20 6f 6e 6c 79 } //2 to test if the target is vulnurable only
|
|
$a_01_4 = {43 4f 4d 4d 41 4e 44 20 2d 20 63 6f 6d 6d 61 6e 64 20 74 68 61 74 20 77 69 6c 6c 20 62 65 20 65 78 65 63 75 74 65 64 20 6f 6e 20 64 6f 6d 61 69 6e 20 63 6f 6e 74 72 6f 6c 6c 65 72 2e 20 73 68 6f 75 6c 64 20 62 65 20 73 75 72 72 6f 75 6e 64 65 64 20 62 79 20 71 75 6f 74 65 73 } //1 COMMAND - command that will be executed on domain controller. should be surrounded by quotes
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*2+(#a_01_3 & 1)*2+(#a_01_4 & 1)*1) >=4
|
|
|
|
} |