Tweak password_finder_mimipenguin rule (chainguard-dev#303)

* Tweak password_finder_mimipenguin rule Signed-off-by: egibs <[email protected]> * Move Finder to extra strings Signed-off-by: egibs <[email protected]> * Remove overlapping strings related to chainguard-dev#304 Signed-off-by: egibs <[email protected]> * Update rules/combo/stealer/password.yara Signed-off-by: Evan Gibler <[email protected]> * Add mimipenguin samples Signed-off-by: egibs <[email protected]> * Fix simple results Signed-off-by: egibs <[email protected]> * Tweak rule now that we have samples Signed-off-by: egibs <[email protected]> * Fix tests Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]> Signed-off-by: Evan Gibler <[email protected]> Co-authored-by: Thomas Strömberg <[email protected]>
egibs · Jul 1, 2024 · 21ce571 · 21ce571
1 parent e3b3a30
commit 21ce571
Showing 1 changed file with 12 additions and 10 deletions.
diff --git a/rules/combo/stealer/password.yara b/rules/combo/stealer/password.yara
@@ -1,19 +1,21 @@
-
 rule password_finder_mimipenguin : critical {
   meta:
     description = "Password finder/dumper, such as MimiPenguin"
     hash_2024_dumpcreds_mimipenguin = "79b478d9453cb18d2baf4387b65dc01b6a4f66a620fa6348fa8dbb8549a04a20"
     hash_2024_dumpcreds_mimipenguin = "3acfe74cd2567e9cc60cb09bc4d0497b81161075510dd75ef8363f72c49e1789"
     hash_2024_enumeration_linpeas = "210cbe49df69a83462a7451ee46e591c755cfbbef320174dc0ff3f633597b092"
   strings:
-    $lightdm = "lightdm" fullword
-    $apache2 = "apache2.conf" fullword
-    $vsftpd = "vsftpd" fullword
-    $shadow = "/etc/shadow"
-    $gnome = "gnome-keyring-daemon"
-    $password = "password"
-    $finder = "Finder"
-    $sshd_config = "sshd_config" fullword
+    $base_lightdm = "lightdm" fullword
+    $base_apache2 = "apache2.conf" fullword
+    $base_vsftpd = "vsftpd" fullword
+    $base_shadow = "/etc/shadow"
+    $base_gnome = "gnome-keyring-daemon"
+    $base_sshd_config = "sshd_config" fullword
+
+    $extra_finder = /\bFinder\b/
+    $extra_password = /\b[Pp]assword\b/
+    $extra_password2 = /.[^\s]{0,32}-password/
+    $ignore_basic_auth_example = /\w{0,32}\:[Pp]assword/
   condition:
-    5 of them
+    2 of ($base_*) and (any of ($extra_*) and none of ($ignore_*))
 }