[Emerging-Sigs] Mimikatz File Transfer Sigs

Jason Williams jwilliams at emergingthreats.net
Wed Jan 29 06:33:11 HST 2020


Thanks for sharing Kevin!

We'll get these into QA for today

On Wed, Jan 29, 2020 at 8:11 AM Tiago Faria <tiago.faria.backups at gmail.com>
wrote:

> That’s really cool Kevin! Thanks for sharing!
>
> On Wed, 29 Jan 2020 at 13:20, Kevin Ross via Emerging-sigs <
> emerging-sigs at lists.emergingthreats.net> wrote:
>
>> Hi,
>>
>> Here are some sigs modified from the Yara rules
>> https://github.com/gentilkiwi/mimikatz/blob/master/kiwi_passwords.yar. I
>> don't have the ones for .DLL working quite yet so those are omitted for
>> now. Examples tested against SMB PCAP (
>> https://github.com/401trg/detections/raw/master/pcaps/20171220_smb_mimikatz_copy.pcap)
>> and also using file2pcap to generate HTTP downloads against latest builds.
>>
>> Detection Examples:
>> [image: image.png]
>> alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x86
>> Executable Transfer Over SMB"; flow:established,to_server;
>> flowbits:isset,ET.smb.binary; content:"|89 71 04 89|"; content:"|30 8d 04
>> bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1;
>> within:5; content:"|89 01 85 ff 74|"; distance:1; within:5;
>> classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
>> sid:123111; rev:1;)
>>
>> alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x64
>> Executable Transfer Over SMB"; flow:established,to_server;
>> flowbits:isset,ET.smb.binary; content:"|33 ff|"; content:"|89 37|";
>> distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4;
>> content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1
>> e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|";
>> within:4; classtype:trojan-activity; reference:url,
>> github.com/gentilkiwi/mimikatz; sid:123112; rev:1;)
>>
>> alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x86
>> Mimidrv.sys File Transfer Over SMB"; flow:established,to_server;
>> flowbits:isset,ET.smb.binary; content:"|a0 00 00 00 24 02 00 00 40 00 00
>> 00|"; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|"; within:16;
>> classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
>> sid:123114; rev:1;)
>>
>> alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Mimikatz x64
>> Mimidrv.sys File Transfer Over SMB"; flow:established,to_server;
>> flowbits:isset,ET.smb.binary; content:"|88 01 00 00 3c 04 00 00 40 00 00
>> 00|"; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16;
>> classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
>> sid:123115; rev:1;)
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
>> Mimikatz x86 Executable Download Over HTTP"; flow:established,to_client;
>> flowbits:isset,ET.http.binary; content:"|89 71 04 89|"; content:"|30 8d 04
>> bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1;
>> within:5; content:"|89 01 85 ff 74|"; distance:1; within:5;
>> classtype:trojan-activity; reference:url,github.com/gentilkiwi/mimikatz;
>> sid:123116; rev:1;)
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
>> Mimikatz x64 Executable Download Over HTTP"; flow:established,to_client;
>> flowbits:isset,ET.http.binary; content:"|33 ff|"; content:"|89 37|";
>> distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4;
>> content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1
>> e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|";
>> within:4; classtype:trojan-activity; reference:url,
>> github.com/gentilkiwi/mimikatz; sid:123117; rev:1;)
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
>> Mimikatz x86 Mimidrv.sys Download Over HTTP"; flow:established,to_client;
>> file_data; content:"MZ"; within:2; content:"|a0 00 00 00 24 02 00 00 40 00
>> 00 00|"; distance:0; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|";
>> within:16; classtype:trojan-activity; reference:url,
>> github.com/gentilkiwi/mimikatz; sid:123119; rev:1;)
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
>> Mimikatz x64 Mimidrv.sys Download Over HTTP"; flow:established,to_client;
>> file_data; content:"MZ"; within:2;  content:"|88 01 00 00 3c 04 00 00 40 00
>> 00 00|"; distance:0; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|";
>> within:16; classtype:trojan-activity; reference:url,
>> github.com/gentilkiwi/mimikatz; sid:123120; rev:1;)
>>
>> Kind Regards,
>> Kevin Ross
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200129/56390a20/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 99593 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200129/56390a20/attachment-0001.png>


More information about the Emerging-sigs mailing list