Skip to content

Instantly share code, notes, and snippets.

@singe

singe/README.md

Last active November 7, 2022 19:06
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save singe/0c334b514a9eed2792b88df1dfb766cc to your computer and use it in GitHub Desktop.
Save singe/0c334b514a9eed2792b88df1dfb766cc to your computer and use it in GitHub Desktop.
Download ZIP
Canarytoken'ed Word .docx yara rule
Raw
README.md

Remember to unzip the .docx first, or use scan.sh.

Compile the yara rule for scan.sh to work yarac canarytoken.yar canarytoken

Raw
canarytoken.yar
rule canarytokendomain
{
meta:
description = "Canarytoken Domain"
author = "@singe"
strings:
$a = /https??:\/\/canarytokens.com\//
condition:
$a
}
rule remoteimage_field
{
meta:
description = "Canarytokened Docx - Remote include via field"
author = "@singe"
strings:
$a = /INCLUDEPICTURE +?"https??:\/\/.{1,200}?" +?\\d/
$b = /INCLUDEPICTURE +?\\d +?"https??:\/\/.{1,200}?"/
condition:
any of them
}
rule remoteimage_rels
{
meta:
description = "Canarytokened Docx - remote include via relationship"
author = "@singe"
strings:
$a = /<Relationship [^>]*?Type="[^"]*?\/image"[^>]*?Target="https??:\/\/[^"]*?"/
condition:
$a
}
Raw
scan.sh
#!/bin/bash
compiled_rule="canarytoken"
red="\033[31m"
green="\033[32m"
bold="\033[1;97m"
reset="\033[0m"
echo -e "$bold[+] Scanning: $@ $reset"
if [[ ! -f "$@" ]]; then
echo -e "$bold[*] File not found, or not a file$reset"
exit 2
fi
check_zip=$(xxd -l4 -ps "$@")
if [[ "$check_zip" != "504b0304" ]]; then
echo -e "$bold[*] Not a ZIP file, is it a .docx?$reset"
exit 2
fi
tmpdir=$(mktemp -d)
unzip "$@" -d $tmpdir >/dev/null && \
out=$(yara -mDsLrC $compiled_rule $tmpdir)
if [[ "$out" == "" ]]; then
echo -e "$green[-] Not tokened$reset"
ret=0
else
echo "$out"
echo -e "$red[x] Canary token found$reset"
ret=1
fi
rm -rf $tmpdir
exit $ret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment