Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE_2021_40444 Yara rules
rule office_exploit_CVE_2021_40444 {
meta:
description = "Detects Microsoft Office exploit CVE-2021-40444"
author = "Rich Warren"
date = "2021-09-08"
strings:
$header = "<?xml" nocase
$ = "!x-usc:" nocase
$ = "mhtml:" nocase
condition:
$header at 0 and all of them
}
rule cab_exploit_CVE_2021_40444 {
meta:
description = "Detects malicious cab files associated with CVE-2021-40444"
author = "Rich Warren"
date = "2021-09-08"
strings:
$ = "../" nocase
$ = ".inf" nocase
condition:
uint32be(0) == 0x4D534346 and all of them
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment