15 lines
1.4 KiB
Plaintext
15 lines
1.4 KiB
Plaintext
|
|
rule Exploit_Win64_CVE-2020-1472_C_dha{
|
|
meta:
|
|
description = "Exploit:Win64/CVE-2020-1472.C!dha,SIGNATURE_TYPE_PEHSTR,05 00 05 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {6c 00 64 00 61 00 70 00 2f 00 25 00 73 00 } //1 ldap/%s
|
|
$a_01_1 = {70 00 6f 00 77 00 65 00 72 00 73 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 20 00 2d 00 63 00 20 00 52 00 65 00 73 00 65 00 74 00 2d 00 43 00 6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 4d 00 61 00 63 00 68 00 69 00 6e 00 65 00 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 } //1 powershell.exe -c Reset-ComputerMachinePassword
|
|
$a_01_2 = {49 50 20 44 43 20 44 4f 4d 41 49 4e 20 41 44 4d 49 4e 5f 55 53 45 52 4e 41 4d 45 20 5b 2d 63 5d 20 43 4f 4d 4d 41 4e 44 } //1 IP DC DOMAIN ADMIN_USERNAME [-c] COMMAND
|
|
$a_01_3 = {73 65 72 76 65 72 20 70 61 73 73 77 64 20 73 65 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 } //1 server passwd set successfully
|
|
$a_01_4 = {6e 65 74 72 73 65 72 76 65 72 61 75 74 68 65 6e 74 69 63 61 74 65 32 3a 20 53 54 41 54 55 53 5f 4e 4f 5f 54 52 55 53 54 5f 53 41 4d 5f 41 43 43 4f 55 4e 54 20 28 63 61 6e 6e 6f 74 20 66 69 6e 64 20 74 68 65 20 61 63 63 6f 75 6e 74 20 6f 72 20 62 61 64 20 74 79 70 65 29 } //1 netrserverauthenticate2: STATUS_NO_TRUST_SAM_ACCOUNT (cannot find the account or bad type)
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=5
|
|
|
|
} |