hunt_mimikatz_zerologon.yar

rule ZerloLogon_Mimikatz {
meta:
 description = "Generic Hunting rule for Mimikatz Implementation of ZeroLogon PrivEsc Exploit"
 author = "SBousseaden"
 date = "17/09/2020"
 reference1 = "https://github.com/SecuraBV/CVE-2020-1472"
 reference2 = "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20200916"
strings:
 $rch1 = "NetrServerReqChallenge"
 $rch2 = "NetrServerReqChallenge" wide
 $auth1 = "NetrServerAuthenticate2"
 $auth2 = "NetrServerAuthenticate2" wide
 $pwd1 = "NetrServerPasswordSet2"
 $pwd2 = "NetrServerPasswordSet2" wide
 $rpc1 = {78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB}
 $rpc2 = {00 00 12 08 25 5C 11 08 25 5C 11 00 08 00 1D 00 08 00 02 5B 15 00 08 00 4C 00 F4 FF 5C 5B 11 04 F4 FF 11 08 08 5C 11 00 02 00 15 03 0C 00 4C 00 E4 FF 08 5B 11 04 F4 FF 11 00 08 00 1D 01 00 02 05 5B 15 03 04 02 4C 00 F4 FF 08 5B 11 04 0C 00 1D 00 10 00 4C 00 BE FF 5C 5B 15 00 10 00 4C 00 F0 FF 5C 5B 00}
 $rpc3 = {00 48 00 00 00 00 04 00 28 00 31 08 00 00 00 5C 3C 00 44 00 46 05 0A 01 00 00 00 00 00 00 00 00 0B 00 00 00 02 00 0B 01 08 00 08 00 0A 01 10 00 14 00 12 21 18 00 14 00 70 00 20 00 08 00 00 48 00 00 00 00 0F 00 40 00 31 08 00 00 00 5C 5E 00 60 00 46 08 0A 01 00 00 00 00 00 00 00 00 0B 00 00 00 02 00 0B 01 08 00 08 00 48 00 10 00 0D 00 0B 01 18 00 08 00 0A 01 20 00 14 00 12 21 28 00 14 00 58 01 30 00 08 00 70 00 38 00 08 00 00 48 00 00 00 00 1E 00 40 00 31 08 00 00 00 5C 8E 02 58 00 46 08 0A 01 00 00 00 00 00 00 00 00 0B 00 00 00 02 00 0B 01 08 00 08 00 48 00 10 00 0D 00 0B 01 18 00 08 00 0A 01 20 00 2A 00 12 41 28 00 2A 00 0A 01 30 00 42 00 70 00 38 00 08 00 00 48 00 00 00 00 2A 00 48 00 31 08 00 00 00 5C 56 00 40 01 46 09 0A 01 00 00 00 00 00 00 00 00 0B 00 00 00 02 00 0B 01 08 00 08 00 48 00 10 00 0D 00 0B 01 18 00 08 00 0A 01 20 00 2A 00 12 41 28 00 2A 00 12 41 30 00 5A 00 12 41 38 00 5A 00 70 00 40 00 08 00 00 00}
condition: uint16(0) == 0x5a4d and (1 of ($rch*) and 1 of ($auth*) and 1 of ($pwd*)) and 2 of ($rpc*) 
}