[Emerging-Sigs] Mimikatz File Transfer Sigs

Kevin Ross kevross33 at googlemail.com
Wed Jan 29 03:19:39 HST 2020


Hi,

Here are some sigs modified from the Yara rules
https://github.com/gentilkiwi/mimikatz/blob/master/kiwi_passwords.yar. I
don't have the ones for .DLL working quite yet so those are omitted for
now. Examples tested against SMB PCAP (
https://github.com/401trg/detections/raw/master/pcaps/20171220_smb_mimikatz_copy.pcap)
and also using file2pcap to generate HTTP downloads against latest builds.

Detection Examples:
[image: image.png]
alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x86 Executable
Transfer Over SMB"; flow:established,to_server;
flowbits:isset,ET.smb.binary; content:"|89 71 04 89|"; content:"|30 8d 04
bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1;
within:5; content:"|89 01 85 ff 74|"; distance:1; within:5;
classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
sid:123111; rev:1;)

alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x64 Executable
Transfer Over SMB"; flow:established,to_server;
flowbits:isset,ET.smb.binary; content:"|33 ff|"; content:"|89 37|";
distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4;
content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1
e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|";
within:4; classtype:trojan-activity; reference:url,
github.com/gentilkiwi/mimikatz; sid:123112; rev:1;)

alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x86 Mimidrv.sys
File Transfer Over SMB"; flow:established,to_server;
flowbits:isset,ET.smb.binary; content:"|a0 00 00 00 24 02 00 00 40 00 00
00|"; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|"; within:16;
classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
sid:123114; rev:1;)

alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x64 Mimidrv.sys
File Transfer Over SMB"; flow:established,to_server;
flowbits:isset,ET.smb.binary; content:"|88 01 00 00 3c 04 00 00 40 00 00
00|"; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16;
classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
sid:123115; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
Mimikatz x86 Executable Download Over HTTP"; flow:established,to_client;
flowbits:isset,ET.http.binary; content:"|89 71 04 89|"; content:"|30 8d 04
bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1;
within:5; content:"|89 01 85 ff 74|"; distance:1; within:5;
classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
sid:123116; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
Mimikatz x64 Executable Download Over HTTP"; flow:established,to_client;
flowbits:isset,ET.http.binary; content:"|33 ff|"; content:"|89 37|";
distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4;
content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1
e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|";
within:4; classtype:trojan-activity; reference:url,
github.com/gentilkiwi/mimikatz; sid:123117; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
Mimikatz x86 Mimidrv.sys Download Over HTTP"; flow:established,to_client;
file_data; content:"MZ"; within:2; content:"|a0 00 00 00 24 02 00 00 40 00
00 00|"; distance:0; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|";
within:16; classtype:trojan-activity; reference:url,
github.com/gentilkiwi/mimikatz; sid:123119; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
Mimikatz x64 Mimidrv.sys Download Over HTTP"; flow:established,to_client;
file_data; content:"MZ"; within:2;  content:"|88 01 00 00 3c 04 00 00 40 00
00 00|"; distance:0; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|";
within:16; classtype:trojan-activity; reference:url,
github.com/gentilkiwi/mimikatz; sid:123120; rev:1;)

Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200129/ea3bb6c3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 99593 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200129/ea3bb6c3/attachment-0001.png>


More information about the Emerging-sigs mailing list