[Emerging-Sigs] Mimikatz File Transfer Sigs

Tiago Faria tiago.faria.backups at gmail.com
Wed Jan 29 05:11:04 HST 2020


That’s really cool Kevin! Thanks for sharing!

On Wed, 29 Jan 2020 at 13:20, Kevin Ross via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:

> Hi,
>
> Here are some sigs modified from the Yara rules
> https://github.com/gentilkiwi/mimikatz/blob/master/kiwi_passwords.yar. I
> don't have the ones for .DLL working quite yet so those are omitted for
> now. Examples tested against SMB PCAP (
> https://github.com/401trg/detections/raw/master/pcaps/20171220_smb_mimikatz_copy.pcap)
> and also using file2pcap to generate HTTP downloads against latest builds.
>
> Detection Examples:
> [image: image.png]
> alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x86 Executable
> Transfer Over SMB"; flow:established,to_server;
> flowbits:isset,ET.smb.binary; content:"|89 71 04 89|"; content:"|30 8d 04
> bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1;
> within:5; content:"|89 01 85 ff 74|"; distance:1; within:5;
> classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
> sid:123111; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x64 Executable
> Transfer Over SMB"; flow:established,to_server;
> flowbits:isset,ET.smb.binary; content:"|33 ff|"; content:"|89 37|";
> distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4;
> content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1
> e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|";
> within:4; classtype:trojan-activity; reference:url,
> github.com/gentilkiwi/mimikatz; sid:123112; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x86
> Mimidrv.sys File Transfer Over SMB"; flow:established,to_server;
> flowbits:isset,ET.smb.binary; content:"|a0 00 00 00 24 02 00 00 40 00 00
> 00|"; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|"; within:16;
> classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
> sid:123114; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x64
> Mimidrv.sys File Transfer Over SMB"; flow:established,to_server;
> flowbits:isset,ET.smb.binary; content:"|88 01 00 00 3c 04 00 00 40 00 00
> 00|"; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16;
> classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
> sid:123115; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> Mimikatz x86 Executable Download Over HTTP"; flow:established,to_client;
> flowbits:isset,ET.http.binary; content:"|89 71 04 89|"; content:"|30 8d 04
> bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1;
> within:5; content:"|89 01 85 ff 74|"; distance:1; within:5;
> classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
> sid:123116; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> Mimikatz x64 Executable Download Over HTTP"; flow:established,to_client;
> flowbits:isset,ET.http.binary; content:"|33 ff|"; content:"|89 37|";
> distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4;
> content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1
> e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|";
> within:4; classtype:trojan-activity; reference:url,
> github.com/gentilkiwi/mimikatz; sid:123117; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> Mimikatz x86 Mimidrv.sys Download Over HTTP"; flow:established,to_client;
> file_data; content:"MZ"; within:2; content:"|a0 00 00 00 24 02 00 00 40 00
> 00 00|"; distance:0; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|";
> within:16; classtype:trojan-activity; reference:url,
> github.com/gentilkiwi/mimikatz; sid:123119; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> Mimikatz x64 Mimidrv.sys Download Over HTTP"; flow:established,to_client;
> file_data; content:"MZ"; within:2;  content:"|88 01 00 00 3c 04 00 00 40 00
> 00 00|"; distance:0; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|";
> within:16; classtype:trojan-activity; reference:url,
> github.com/gentilkiwi/mimikatz; sid:123120; rev:1;)
>
> Kind Regards,
> Kevin Ross
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200129/a21c27f3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 99593 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200129/a21c27f3/attachment-0001.png>


More information about the Emerging-sigs mailing list