stvemillertime/ConventionEngine_OLE_C_Users.yar

## ConventionEngine_OLE_C_Users.yar
rule ConventionEngine_OLE_C_Users
{
    meta:
        author = "smiller and alyssa"
        date = "11/06/2018"
        description = "Looking for RTFs with OLE paths containing suspicious strings, as part of common developer convention. In this case, the matching RTF has an OLE object with a path C Users in it. That's odd. #ConventionEngine"
        md5 = "e24e51ec170b2341ef90321640fef797"
    strings:
        $package = "0105000002000000080000005061636B61676500" ascii
        $users = "0043003A005C00550073006500720073005C00" ascii
    condition:
        ((uint32(0) == 0x74725c7b) or (uint32(0) == 0x74525c7b) or (uint32(0) == 0x54725c7b) or (uint32(0) == 0x54525c7b)) and $package and $users
}
	rule ConventionEngine_OLE_C_Users
	{
	meta:
	author = "smiller and alyssa"
	date = "11/06/2018"
	description = "Looking for RTFs with OLE paths containing suspicious strings, as part of common developer convention. In this case, the matching RTF has an OLE object with a path C Users in it. That's odd. #ConventionEngine"
	md5 = "e24e51ec170b2341ef90321640fef797"
	strings:
	$package = "0105000002000000080000005061636B61676500" ascii
	$users = "0043003A005C00550073006500720073005C00" ascii
	condition:
	((uint32(0) == 0x74725c7b) or (uint32(0) == 0x74525c7b) or (uint32(0) == 0x54725c7b) or (uint32(0) == 0x54525c7b)) and $package and $users
	}