Created
October 7, 2019 13:28
-
-
Save ChaitanyaHaritash/84f0c4da337c30a3c5598842cbe276cc to your computer and use it in GitHub Desktop.
exploit_techniques used in ms office detection via yara signatures
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule malrtf_ole2link : exploit | |
| { | |
| meta: | |
| author = "@h3x2b <tracker _AT h3x.eu>" | |
| description = "Detect weaponized RTF documents with OLE2Link exploit" | |
| strings: | |
| //normal rtf beginning | |
| $rtf_format_00 = "{\\rtf1" | |
| //malformed rtf can have for example {\\rtA1 | |
| $rtf_format_01 = "{\\rt" | |
| //having objdata structure | |
| $rtf_olelink_01 = "\\objdata" nocase | |
| //hex encoded OLE2Link | |
| $rtf_olelink_02 = "4f4c45324c696e6b" nocase | |
| //hex encoded docfile magic - doc file albilae | |
| $rtf_olelink_03 = "d0cf11e0a1b11ae1" nocase | |
| //hex encoded "http://" | |
| //$rtf_payload_01 = "68007400740070003a002f002f00" nocase | |
| //hex encoded "https://" | |
| //$rtf_payload_02 = "680074007400700073003a002f002f00" nocase | |
| //hex encoded "ftp://" | |
| //$rtf_payload_03 = "6600740070003a002f002f00" nocase | |
| //techniques | |
| //otkloadr.WRAssembly.1 | |
| $rtf_tech_00 = "6f746b6c6f6164722e5752417373656d626c792e31" | |
| //using D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731 | |
| $rtf_tech_01 = "D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731" | |
| $rtf_tech_02 = "oleclsid" | |
| $rtf_tech_03 = "41303841303333442d314137352d344142362d413136362d454144303246353437393539" | |
| condition: | |
| //new_file and | |
| any of ($rtf_format_*) | |
| and all of ($rtf_olelink_*) | |
| //and any of ($rtf_payload_*) | |
| and any of ($rtf_tech_*) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment