From 21ce5719243c05b04986ccf299166a82eb9fc2fe Mon Sep 17 00:00:00 2001 From: Evan Gibler <20933572+egibs@users.noreply.github.com> Date: Mon, 1 Jul 2024 15:00:16 -0500 Subject: [PATCH] Tweak password_finder_mimipenguin rule (#303) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Tweak password_finder_mimipenguin rule Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Move Finder to extra strings Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Remove overlapping strings related to #304 Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Update rules/combo/stealer/password.yara Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com> * Add mimipenguin samples Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix simple results Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Tweak rule now that we have samples Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix tests Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Thomas Strömberg --- rules/combo/stealer/password.yara | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/rules/combo/stealer/password.yara b/rules/combo/stealer/password.yara index 945c80c18..d0867751a 100644 --- a/rules/combo/stealer/password.yara +++ b/rules/combo/stealer/password.yara @@ -1,4 +1,3 @@ - rule password_finder_mimipenguin : critical { meta: description = "Password finder/dumper, such as MimiPenguin" @@ -6,14 +5,17 @@ rule password_finder_mimipenguin : critical { hash_2024_dumpcreds_mimipenguin = "3acfe74cd2567e9cc60cb09bc4d0497b81161075510dd75ef8363f72c49e1789" hash_2024_enumeration_linpeas = "210cbe49df69a83462a7451ee46e591c755cfbbef320174dc0ff3f633597b092" strings: - $lightdm = "lightdm" fullword - $apache2 = "apache2.conf" fullword - $vsftpd = "vsftpd" fullword - $shadow = "/etc/shadow" - $gnome = "gnome-keyring-daemon" - $password = "password" - $finder = "Finder" - $sshd_config = "sshd_config" fullword + $base_lightdm = "lightdm" fullword + $base_apache2 = "apache2.conf" fullword + $base_vsftpd = "vsftpd" fullword + $base_shadow = "/etc/shadow" + $base_gnome = "gnome-keyring-daemon" + $base_sshd_config = "sshd_config" fullword + + $extra_finder = /\bFinder\b/ + $extra_password = /\b[Pp]assword\b/ + $extra_password2 = /.[^\s]{0,32}-password/ + $ignore_basic_auth_example = /\w{0,32}\:[Pp]assword/ condition: - 5 of them + 2 of ($base_*) and (any of ($extra_*) and none of ($ignore_*)) }