Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Yara rules for .url tricks that didn't fit in a tweet
rule Methodology_Suspicious_Shortcut_Local_URL
{
meta:
author = "@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)"
description = "Detects local script usage for .URL persistence"
reference = "https://twitter.com/cglyer/status/1176184798248919044"
strings:
$file = "URL=file:///" nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
$file and any of ($url*)
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Suspicious_Shortcut_SMB_URL
{
meta:
author = "@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)"
description = "Detects remote SMB path for .URL persistence"
reference = "https://twitter.com/cglyer/status/1176184798248919044"
sample = "e0bef7497fcb284edb0c65b59d511830"
strings:
$file = /URL=file:\/\/[a-z0-9]/ nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
$file and any of ($url*)
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Suspicious_Shortcut_IconRemote_HTTP
{
meta:
author = "@itsreallynick (Nick Carr)"
strings:
$icon = /IconFile\s*=\s*http/ nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
$icon and any of ($url*)
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Suspicious_Shortcut_IconRemote_SMBorLocal
{
meta:
author = "@itsreallynick (Nick Carr)"
description = "This is the syntax used for NTLM hash stealing via Responder - https://www.securify.nl/nl/blog/SFY20180501/living-off-the-land_-stealing-netntlm-hashes.html"
reference = "https://twitter.com/ItsReallyNick/status/1176241449148588032"
strings:
$icon = "IconFile=file://" nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
$icon and any of ($url*)
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Shortcut_HotKey
{
meta:
author = "@itsreallynick (Nick Carr)"
strings:
$hotkey = /[\x0a\x0d]HotKey=[1-9]/ nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
$hotkey and any of ($url*)
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Suspicious_Shortcut_BaseURLSyntax
{
meta:
author = "@itsreallynick (Nick Carr)"
strings:
$baseurl1 = "BASEURL=file://" nocase
$baseurl2 = "[DEFAULT]" nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
all of ($baseurl*) and any of ($url*)
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Contains_Shortcut_OtherURIhandlers
{
meta:
author = "@itsreallynick (Nick Carr)"
description = "Noisy rule for .URL shortcuts containing unique URI handlers"
strings:
$file = "URL="
$filenegate = /[\x0a\x0d](Base|)URL\s*=\s*(https?|file):\/\// nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
$file and any of ($url*) and not $filenegate
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Suspicious_Shortcut_IconShenanigans_dotDL
{
meta:
author = "@itsreallynick (Nick Carr)"
reference = "https://twitter.com/ItsReallyNick/status/1176229087196696577"
strings:
$icon = /[\x0a\x0d]IconFile=[^\x0d]*\.dl\x0d/ nocase ascii wide
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
any of ($url*) and $icon
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO
{
meta:
author = "@itsreallynick (Nick Carr)"
reference = "https://twitter.com/ItsReallyNick/status/1176229087196696577"
strings:
$icon = "IconFile="
$icon_negate = /[\x0a\x0d]IconFile=[^\x0d]*\.(dll|exe|ico)\x0d/ nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
any of ($url*) and $icon and not $icon_negate
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Suspicious_Shortcut_Evasion
{
meta:
author = "@itsreallynick (Nick Carr)"
description = "Non-standard .URLs and evasion"
reference = "https://twitter.com/DissectMalware/status/1176736510856634368"
strings:
$URI = /[\x0a\x0d](IconFile|(Base|)URL)[^\x0d=]+/ nocase
$filetype_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$filetype_explicit = "[InternetShortcut]" nocase
condition:
any of ($filetype*) and $URI //and $URInegate
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
// the below rule hasn't been seen, but I still want to explore whether this format can be abused to launch commands in unstructured .URL space
rule Methodology_Suspicious_Shortcut_LOLcommand
{
meta:
author = "@itsreallynick (Nick Carr)"
reference = "https://twitter.com/ItsReallyNick/status/1176601500069576704"
strings:
$file1 = /[\x0a\x0d](IconFile|(Base|)URL)\s*=[^\x0d]*(powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(\.exe|)[^\x0d]{2,}\x0d/ nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
any of ($url*) and any of ($file*)
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
// NONE of the following rules have been seen itw, but they are searching for unique (possible?) .URL syntax - leaving here for transparency
rule Methodology_Suspicious_Shortcut_WebDAV
{
meta:
author = "@itsreallynick (Nick Carr)"
reference = "https://twitter.com/cglyer/status/1176243536754282497"
strings:
$file1 = /[\x0a\x0d](IconFile|(Base|)URL)\s*=\s*\/\/[A-Za-z0-9]/
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
any of ($url*) and any of ($file*)
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Suspicious_Shortcut_ScriptURL
{
meta:
author = "@itsreallynick (Nick Carr)"
strings:
$file1 = /[\x0a\x0d](IconFile|(Base|)URL)\s*=[^\x0d]*script:/ nocase
// $file2 = /IconFile=script:/ nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
any of ($url*) and any of ($file*)
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Suspicious_Shortcut_WorkingDirRemote_HTTP
{
meta:
author = "@itsreallynick (Nick Carr)"
strings:
$icon = "WorkingDirectory=http" nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
$icon and any of ($url*)
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
rule Methodology_Suspicious_Shortcut_WorkingDirRemote_SMB
{
meta:
author = "@itsreallynick (Nick Carr)"
strings:
$icon = "WorkingDirectory=file://" nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
condition:
$icon and any of ($url*)
and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
and filesize < 30KB
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment