Skip to content

Instantly share code, notes, and snippets.

@JohnLaTwC

JohnLaTwC/template_injection.yara

Created May 8, 2020 17:16
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save JohnLaTwC/14bdf8a94b0639e02e10590b6dba1ce7 to your computer and use it in GitHub Desktop.
Save JohnLaTwC/14bdf8a94b0639e02e10590b6dba1ce7 to your computer and use it in GitHub Desktop.
Download ZIP
Word OXML Template Injection
Raw
template_injection.yara
rule gen_injected_template_Word
{
meta:
description = "Detects injected templates in DOCX"
author = "John Lambert @JohnLaTwC"
date = "2020-05-03"
hash1 = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063"
hash2 = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89"
hash3 = "ed4835e5fd10bbd2be04c5ea9eb2b8e750aff2ef235de6e0f18d369469f69c83"
file_protocol_hash1 = "ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08 (settings.xml.rels)"
reference1 = "https://twitter.com/Timele9527/status/1253941585026314240"
reference2 = "https://blog.talosintelligence.com/2017/07/template-injection.html"
strings:
$header_xml = { 3c 3f 78 6d }
$header_xml_2 = { ef bb bf 3c 3f 78 6d }
$s1 = "Target=\"http"
$s2 = /Target=\"file:\/\/\d/
$r1 = "http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate"
$r2a = "\"http://schemas.openxmlformats.org/package/2006/relationships\""
$r2b = "<Relationships"
$r2c = "TargetMode=\"External"
condition:
filesize < 3KB
and ($header_xml at 0 or $header_xml_2 at 0 )
and any of ($s*)
and ($r1 or all of ($r2*))
}
rule gen_injected_template_Word_web
{
meta:
description = "Detects injected templates in DOCX"
author = "John Lambert @JohnLaTwC"
date = "2020-05-03"
hash1 = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063"
hash2 = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89"
reference1 = "https://twitter.com/Timele9527/status/1253941585026314240"
reference2 = "https://blog.talosintelligence.com/2017/07/template-injection.html"
strings:
$s1 = "Target=\"http"
condition:
gen_injected_template_Word
and all of ($s*)
}
rule gen_injected_template_Word_DOTM_DOCM
{
meta:
description = "Detects injected templates in DOCX with DOTM/DOCM extension"
author = "John Lambert @JohnLaTwC"
date = "2020-05-03"
hash1 = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063"
reference1 = "https://twitter.com/Timele9527/status/1253941585026314240"
strings:
// .dotm" or .docm"
$s3 = {2e 64 6f (74|63 ) 6d 22}
condition:
gen_injected_template_Word_web
and $s3
}
rule gen_injected_template_Word_online_fileshare
{
meta:
description = "Detects injected templates in DOCX with DOTM/DOCM extension"
author = "John Lambert @JohnLaTwC"
date = "2020-05-03"
hash1 = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89"
reference1 = "https://twitter.com/Timele9527/status/1253941585026314240"
strings:
// .dotm" or .docm"
$s3 = "https://drive.google.com/"
$s4 = "https://onedrive"
$s5 = "https://1drv.ms/"
$s6 = "docs.live.net/"
$s7 = "sharepoint.com"
$s8 = "duckdns.org"
condition:
gen_injected_template_Word_web
and 1 of ($s*)
}
rule gen_injected_template_Word_RTF
{
meta:
description = "Detects injected templates in DOCX with DOTM/DOCM extension"
author = "John Lambert @JohnLaTwC"
date = "2020-05-03"
hash1 = "4f591b5db3401021d108368950e9c0c0ca638f50bba5da0c03986e7c137bec89"
strings:
$r1 = /Target="http:[\S]{3,80}[rtf|RTF]/
$r2 = /Target="https:[\S]{3,80}[rtf|RTF]/
condition:
gen_injected_template_Word_web
and any of ($r*)
}
@cccs-jp
Copy link

cccs-jp commented May 27, 2020

Thanks for the rules @JohnLaTwC! Added a little bit of metadata using CCCS Yara :)

{
    meta:
        id = "76R8aOYLX1wLOerHGwAzdF"
        fingerprint = "ceae9927e1bc85cedba0ff97167f8be547d401e3333846b1a4b732a013ed6e55"
        status = "RELEASED"
        sharing = "TLP:WHITE"
        source = "OPENSOURCE"
        author = "John Lambert @JohnLaTwC"
        description = "Detects injected templates in DOCX"
        category = "TECHNIQUE"
        technique = "TEMPLATE INJECTION"
        mitre_att = "T1221"
        reference = "https://gist.github.com/JohnLaTwC/14bdf8a94b0639e02e10590b6dba1ce7"
        reference = "https://twitter.com/Timele9527/status/1253941585026314240"
        reference = "https://blog.talosintelligence.com/2017/07/template-injection.html"
        hash = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063"
        hash = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89"
        hash = "ed4835e5fd10bbd2be04c5ea9eb2b8e750aff2ef235de6e0f18d369469f69c83"
        date = "2020-05-03"
        file_protocol_hash1 = "ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08 (settings.xml.rels)"

    strings:
        $header_xml = { 3c 3f 78 6d } 
        $header_xml_2 = { ef bb bf 3c 3f 78 6d } 
        $s1 = "Target=\"http"
        $s2 = /Target=\"file:\/\/\d/

        $r1 = "http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate"
        $r2a = "\"http://schemas.openxmlformats.org/package/2006/relationships\""
        $r2b = "<Relationships"
        $r2c = "TargetMode=\"External"

    condition:
        filesize < 3KB
        and ($header_xml at 0 or $header_xml_2 at 0 )
        and any of ($s*)
        and ($r1 or all of ($r2*))
}

rule gen_injected_template_Word_web
{
    meta:
        id = "7gm1wqBR592azionIznn4U"
        fingerprint = "a521fe78e2bf961936c324dbc5b73331c397d55354ea4194efc3a69ebbf473f0"
        status = "RELEASED"
        sharing = "TLP:WHITE"
        source = "OPENSOURCE"
        author = "John Lambert @JohnLaTwC"
        description = "Detects injected templates in DOCX"
        category = "TECHNIQUE"
        technique = "TEMPLATE INJECTION"
        mitre_att = "T1221"
        reference = "https://gist.github.com/JohnLaTwC/14bdf8a94b0639e02e10590b6dba1ce7"
        reference = "https://twitter.com/Timele9527/status/1253941585026314240"
        reference = "https://blog.talosintelligence.com/2017/07/template-injection.html"
        hash = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063"
        hash = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89"
        date = "2020-05-03"

    strings:
        $s1 = "Target=\"http"

    condition:
        gen_injected_template_Word
        and all of ($s*)
}


rule gen_injected_template_Word_DOTM_DOCM
{
    meta:
        id = "7eotpSbunw3EMsHvDL5i20"
        fingerprint = "ea6a45a431c428087c88d0c08332a7107868a90ab25fbe654b2d79cd86f8e165"
        status = "RELEASED"
        sharing = "TLP:WHITE"
        source = "OPENSOURCE"
        author = "John Lambert @JohnLaTwC"
        description = "Detects injected templates in DOCX with DOTM/DOCM extension"
        category = "TECHNIQUE"
        technique = "TEMPLATE INJECTION"
        mitre_att = "T1221"
        reference = "https://gist.github.com/JohnLaTwC/14bdf8a94b0639e02e10590b6dba1ce7"
        reference = "https://twitter.com/Timele9527/status/1253941585026314240"
        hash = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063"
        date = "2020-05-03"

    strings:
        // .dotm" or .docm"
        $s3 = {2e 64 6f (74|63 ) 6d 22}

    condition:
        gen_injected_template_Word_web
        and $s3
}


rule gen_injected_template_Word_online_fileshare
{
    meta:
        id = "bEDbdpGbFo7Ca2pUiF9j0"
        fingerprint = "4c54266890453ff673271f53ba5a717b758b75ac5e9bf14d8bd2bf7c6260ca0e"
        status = "RELEASED"
        sharing = "TLP:WHITE"
        source = "OPENSOURCE"
        author = "John Lambert @JohnLaTwC"
        description = "Detects injected templates in DOCX with DOTM/DOCM extension"
        category = "TECHNIQUE"
        technique = "TEMPLATE INJECTION"
        mitre_att = "T1221"
        reference = "https://gist.github.com/JohnLaTwC/14bdf8a94b0639e02e10590b6dba1ce7"
        reference = "https://twitter.com/Timele9527/status/1253941585026314240"
        hash = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89"
        date = "2020-05-03"

    strings:
        // .dotm" or .docm"
        $s3 = "https://drive.google.com/"
        $s4 = "https://onedrive"
        $s5 = "https://1drv.ms/"
        $s6 = "docs.live.net/"
        $s7 = "sharepoint.com"
        $s8 = "duckdns.org"
    condition:
        gen_injected_template_Word_web
        and 1 of ($s*)
}

rule gen_injected_template_Word_RTF
{
    meta:
        id = "1ss91rBFqAlpTwZS0UqSxn"
        fingerprint = "059fd44483a7a9b415b7551e4969f109b71876f0e479bef72eae083611932d2a"
        status = "RELEASED"
        sharing = "TLP:WHITE"
        source = "OPENSOURCE"
        author = "John Lambert @JohnLaTwC"
        description = "Detects injected templates in DOCX with DOTM/DOCM extension"
        category = "TECHNIQUE"
        technique = "TEMPLATE INJECTION"
        mitre_att = "T1221"
        reference = "https://gist.github.com/JohnLaTwC/14bdf8a94b0639e02e10590b6dba1ce7"
        hash = "4f591b5db3401021d108368950e9c0c0ca638f50bba5da0c03986e7c137bec89"
        date = "2020-05-03"

    strings:
        $r1 = /Target="http:[\S]{3,80}[rtf|RTF]/
        $r2 = /Target="https:[\S]{3,80}[rtf|RTF]/
    condition:
        gen_injected_template_Word_web
        and any of ($r*)
}

@JohnLaTwC
Copy link
Author

very nice. Thanks!

@cccs-jp
Copy link

cccs-jp commented Nov 27, 2020

Looks like there was a small mistakes above, recommend switching [rtf|RTF] to (rtf|RTF) to reduce false positives.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment