Skip to content

Instantly share code, notes, and snippets.

@stvemillertime

stvemillertime/Methodology_RTFEngine_OLE_CLSIDs.yar

Created July 1, 2021 17:07
Show Gist options
  • Save stvemillertime/651b4f45be2a4e930bee954a218f9c1c to your computer and use it in GitHub Desktop.
Save stvemillertime/651b4f45be2a4e930bee954a218f9c1c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Methodology_RTFEngine_OLE_CLSIDs.yar
/*
I've only tested about half of these, so use with care. Some of them are too common for any practical use.
You gotta find which ones are within your prevalence comfort zone. For me <10-20K is pretty decent. For you that might not work.
This list of CLSIDs ripped raw from https://github.com/decalage2/oletools/blob/master/oletools/common/clsid.py
I took those and then stole a script from github to convert the CLSIDs from string GUID form to hex GUID form, then I mass created the rules.
The list of $embedded control words is to help down select RTFs and make a guess that there is probs some embedded content. You can tweak that or dial it up or down or whatever. Maybe add the OLE header.
You may want to fiddle with filesize and the magic header. Here it is very simple at offset 0, but you might want to try {\\rt in (0...50) or something like that to account for header mangling.
Have fun! Let me know if you find any of them that are great or just terrible and I'll edit this to make a note.
Thanks to @decalage2 and @edeca for the inspiration.
-smiller
*/
rule Methodology_RTFEngine_OLE_CLSID_StdOleLink {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a1 = "00000300-0000-0000-C000-000000000046" nocase ascii // 'StdOleLink (embedded OLE object - Known Related to CVE-2017-0199, CVE-2017-8570, CVE-2017-8759 or CVE-2018-8174)',
$clsid_hex0 = "0003000000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_FileMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a2 = "00000303-0000-0000-C000-000000000046" nocase ascii // 'File Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)',
$clsid_hex1 = "0303000000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ItemMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a3 = "00000304-0000-0000-C000-000000000046" nocase ascii // 'Item Moniker',
$clsid_hex2 = "0403000000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AntiMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a4 = "00000305-0000-0000-C000-000000000046" nocase ascii // 'Anti Moniker',
$clsid_hex3 = "0503000000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_PointerMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a5 = "00000306-0000-0000-C000-000000000046" nocase ascii // 'Pointer Moniker',
$clsid_hex4 = "0603000000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_PackagerMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a6 = "00000308-0000-0000-C000-000000000046" nocase ascii // 'Packager Moniker',
$clsid_hex5 = "0803000000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_CompositeMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a7 = "00000309-0000-0000-C000-000000000046" nocase ascii // 'Composite Moniker (may trigger CVE-2017-8570)',
$clsid_hex6 = "0903000000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ClassMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a8 = "0000031A-0000-0000-C000-000000000046" nocase ascii // 'Class Moniker',
$clsid_hex7 = "1a03000000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ADODBRecordSet {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a9 = "00000535-0000-0010-8000-00AA006D2EA4" nocase ascii // 'ADODB.RecordSet (may trigger CVE-2015-0097)',
$clsid_hex8 = "3505000000001000800000AA006D2EA4" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_OutlookAttachMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a10 = "0002034C-0000-0000-C000-000000000046" nocase ascii // 'OutlookAttachMoniker',
$clsid_hex9 = "4c03020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_OutlookMessageMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a11 = "0002034E-0000-0000-C000-000000000046" nocase ascii // 'OutlookMessageMoniker',
$clsid_hex10 = "4e03020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MicrosoftExcelSheet5 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a12 = "00020810-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Excel.Sheet.5',
$clsid_hex11 = "1008020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MicrosoftExcelChart5 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a13 = "00020811-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Excel.Chart.5',
$clsid_hex12 = "1108020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ExcelSheet8 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a14 = "00020820-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)',
$clsid_hex13 = "2008020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ExcelChart8 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a15 = "00020821-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Excel.Chart.8',
$clsid_hex14 = "2108020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ExcelSheet12 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a16 = "00020830-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Excel.Sheet.12',
$clsid_hex15 = "3008020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ExcelSheetMacroEnabled12 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a17 = "00020832-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Excel sheet with macro enabled (Excel.SheetMacroEnabled.12)',
$clsid_hex16 = "3208020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ExcelSheetBinaryMacroEnabled12 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a18 = "00020833-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Excel binary sheet with macro enabled (Excel.SheetBinaryMacroEnabled.12)',
$clsid_hex17 = "3308020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_WordDocument6 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a19 = "00020900-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Word 6.0-7.0 Document (Word.Document.6)',
$clsid_hex18 = "0009020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_WordDocument8 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a20 = "00020906-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Word 97-2003 Document (Word.Document.8)',
$clsid_hex19 = "0609020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_WordPicture8 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a21 = "00020907-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Word Picture (Word.Picture.8)',
$clsid_hex20 = "0709020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_OLEPackageObject_1 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a22 = "00020C01-0000-0000-C000-000000000046" nocase ascii // 'OLE Package Object (may contain and run any file)',
$clsid_hex21 = "010c020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_WindowsLNKShortcutFile {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a23 = "00021401-0000-0000-C000-000000000046" nocase ascii // 'Windows LNK Shortcut file', # ref: https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc
$clsid_hex22 = "0114020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MicrosoftEquation2 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a24 = "00021700-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Equation 2.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)',
$clsid_hex23 = "0017020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_OLEPackageObject_2 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a25 = "00022601-0000-0000-C000-000000000046" nocase ascii // 'OLE Package Object (may contain and run any file)',
$clsid_hex24 = "0126020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_OLEPackageObject_3 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a26 = "00022602-0000-0000-C000-000000000046" nocase ascii // 'OLE Package Object (may contain and run any file)',
$clsid_hex25 = "0226020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_OLEPackageObject_4 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a27 = "00022603-0000-0000-C000-000000000046" nocase ascii // 'OLE Package Object (may contain and run any file)',
$clsid_hex26 = "0326020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MicrosoftEquation3 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a28 = "0002CE02-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Equation 3.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)',
$clsid_hex27 = "02ce020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MathTypeEquationObject {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a29 = "0002CE03-0000-0000-C000-000000000046" nocase ascii // 'MathType Equation Object',
$clsid_hex28 = "03ce020000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MicrosoftEquation_Alt {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a30 = "0003000B-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Equation (Known Related to CVE-2017-11882 or CVE-2018-0802)',
$clsid_hex29 = "0b00030000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_OLEPackageObject_5 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a31 = "0003000C-0000-0000-C000-000000000046" nocase ascii // 'OLE Package Object (may contain and run any file)',
$clsid_hex30 = "0c00030000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_OLEPackage_6 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a32 = "0003000D-0000-0000-C000-000000000046" nocase ascii // 'OLE Package Object (may contain and run any file)',
$clsid_hex31 = "0d00030000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_OLEPackage_7 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a33 = "0003000E-0000-0000-C000-000000000046" nocase ascii // 'OLE Package Object (may contain and run any file)',
$clsid_hex32 = "0e00030000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MicrosoftEquation2_Alt {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a34 = "0004A6B0-0000-0000-C000-000000000046" nocase ascii // 'Microsoft Equation 2.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)', # TODO: to be confirmed
$clsid_hex33 = "b0a6040000000000C000000000000046" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_PowerPointSlide12 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a35 = "048EB43E-2059-422F-95E0-557DA96038AF" nocase ascii // 'Microsoft Powerpoint.Slide.12',
$clsid_hex34 = "3eb48e0459202f4295E0557DA96038AF" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_otkloadrwrloader {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a36 = "05741520-C4EB-440A-AC3F-9643BBC9F847" nocase ascii // 'otkloadr.WRLoader (can be used to bypass ASLR after triggering an exploit)',
$clsid_hex35 = "20157405ebc40a44AC3F9643BBC9F847" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_FactorybinderIpersistMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a37 = "06290BD2-48AA-11D2-8432-006008C3FBFC" nocase ascii // 'Factory bindable using IPersistMoniker (scripletfile)',
$clsid_hex36 = "d20b2906aa48d2118432006008C3FBFC" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ScriptMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a38 = "06290BD3-48AA-11D2-8432-006008C3FBFC" nocase ascii // 'Script Moniker, aka Moniker to a Windows Script Component (may trigger CVE-2017-0199)',
$clsid_hex37 = "d30b2906aa48d2118432006008C3FBFC" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_scrrundllhtmlfile {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a39 = "0CF774D0-F077-11D1-B1BC-00C04F86C324" nocase ascii // 'scrrun.dll - HTML File Host Encode Object (ProgID: HTML.HostEncode)',
$clsid_hex38 = "d074f70c77f0d111B1BC00C04F86C324" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_scrundllfilesystem {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a40 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase ascii // 'scrrun.dll - FileSystem Object (ProgID: Scripting.FileSystemObject)',
$clsid_hex39 = "01fe430d93f0cf11894000A0C9054228" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MSScriptControlScriptControl {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a41 = "0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC" nocase ascii // 'MSScriptControl.ScriptControl (may trigger CVE-2015-0097)',
$clsid_hex40 = "d5f1590ebe1fd0118FF200A0D10038BC" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_BCSAddinConnect {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a42 = "1461A561-24E8-4BA3-8D4A-FFEEF980556B" nocase ascii // 'BCSAddin.Connect (potential exploit CVE-2016-0042 / MS16-014)',
$clsid_hex41 = "61a56114e824a34b8D4AFFEEF980556B" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_WUAEXTDLL {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a43 = "14CE31DC-ABC2-484C-B061-CF3416AED8FF" nocase ascii // 'Loads WUAEXT.DLL (Known Related to CVE-2015-6128)',
$clsid_hex42 = "dc31ce14c2ab4c48B061CF3416AED8FF" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_WordDocumentMacroEnabled12 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a44 = "18A06B6B-2F3F-4E2B-A611-52BE631B2D22" nocase ascii // 'Word.DocumentMacroEnabled.12 (DOCM)',
$clsid_hex43 = "6b6ba0183f2f2b4eA61152BE631B2D22" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_UPnPDescriptionDocument {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a45 = "1D8A9B47-3A28-4CE2-8A4B-BD34E45BCEEB" nocase ascii // 'UPnP.DescriptionDocument',
$clsid_hex44 = "479b8a1d283ae24c8A4BBD34E45BCEEB" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MSCOMCTLTabStrip {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a46 = "1EFB6596-857C-11D1-B16A-00C0F0283628" nocase ascii // 'MSCOMCTL.TabStrip (may trigger CVE-2012-1856, CVE-2013-3906 - often used for heap spray)',
$clsid_hex45 = "9665fb1e7c85d111B16A00C0F0283628" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ShockwaveControlObjects {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a47 = "233C1507-6A77-46A4-9443-F871F945D258" nocase ascii // 'Shockwave Control Objects',
$clsid_hex46 = "07153c23776aa4469443F871F945D258" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_UmOutlookAddinUmEvmCtrl {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a48 = "23CE100B-1390-49D6-BA00-F17D3AEE149C" nocase ascii // 'UmOutlookAddin.UmEvmCtrl (potential exploit document CVE-2016-0042 / MS16-014)',
$clsid_hex47 = "0b10ce239013d649BA00F17D3AEE149C" nocase ascii // # Referenced in https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=652438 :
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_IBMLotusNotes {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a49 = "29131539-2EED-1069-BF5D-00DD011186B7" nocase ascii // 'IBM/Lotus Notes COM interface provided by NLSXBE.DLL (related to CVE-2021-27058)',
$clsid_hex48 = "39151329ed2e6910BF5D00DD011186B7" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_SCEDropTableListenerObject {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a50 = "3018609E-CDBC-47E8-A255-809D46BAA319" nocase ascii // 'SSCE DropTable Listener Object (can be used to bypass ASLR after triggering an exploit)',
$clsid_hex49 = "9e601830bccde847A255809D46BAA319" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_HTMLApplication {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a51 = "3050F4D8-98B5-11CF-BB82-00AA00BDCE0B" nocase ascii // 'HTML Application (may trigger CVE-2017-0199)',
$clsid_hex50 = "d8f45030b598cf11BB8200AA00BDCE0B" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_osfSandboxManager {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a52 = "33BD73C2-7BB4-48F4-8DBC-82B8B313AE16" nocase ascii // 'osf.SandboxManager (Known Related To CVE-2015-1770)',
$clsid_hex51 = "c273bd33b47bf4488DBC82B8B313AE16" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_UPnPDescriptionDocumentEx {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a53 = "33FD0563-D81A-4393-83CC-0195B1DA2F91" nocase ascii // 'UPnP.DescriptionDocumentEx',
$clsid_hex52 = "6305fd331ad8934383CC0195B1DA2F91" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ELSEXTDLL_1 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a54 = "394C052E-B830-11D0-9A86-00C04FD8DBF7" nocase ascii // 'Loads ELSEXT.DLL (Known Related to CVE-2015-6128)',
$clsid_hex53 = "2e054c3930b8d0119A8600C04FD8DBF7" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_osfSandboxContent_2 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a55 = "3BA59FA5-41BF-4820-98E4-04645A806698" nocase ascii // 'osf.SandboxContent (Known Related To CVE-2015-1770)',
$clsid_hex54 = "a59fa53bbf41204898E404645A806698" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_SearchXmlContentFilter {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a56 = "41B9BE05-B3AF-460C-BF0B-2CDD44A093B1" nocase ascii // 'Search.XmlContentFilter (potential exploit document CVE TODO)',
$clsid_hex55 = "05beb941afb30c46BF0B2CDD44A093B1" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_DeviceMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a57 = "4315D437-5B8C-11D0-BD3B-00A0C911CE86" nocase ascii // 'Device Moniker (Known Related to CVE-2016-0015)',
$clsid_hex56 = "37d415438c5bd011BD3B00A0C911CE86" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ControlTaskSymbol {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a58 = "44F9A03B-A3EC-4F3B-9364-08E0007F21DF" nocase ascii // 'Control.TaskSymbol (Known Related to CVE-2015-1642 & CVE-2015-2424)',
$clsid_hex57 = "3ba0f944eca33b4f936408E0007F21DF" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_FormsMultiPage {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a59 = "46E31370-3F7A-11CE-BED6-00AA00611080" nocase ascii // 'Forms.MultiPage',
$clsid_hex58 = "7013e3467a3fce11BED600AA00611080" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_FormsImage {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a60 = "4C599241-6926-101B-9992-00000B65C6F9" nocase ascii // 'Forms.Image (may trigger CVE-2015-2424)',
$clsid_hex59 = "4192594c26691b10999200000B65C6F9" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AutoCAD2002 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a61 = "4D3263E4-CAB7-11D2-802A-0080C703929C" nocase ascii // 'AutoCAD 2000-2002 Document',
$clsid_hex60 = "e463324db7cad211802A0080C703929C" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AutoCADR14 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a62 = "5E4405B0-5374-11CE-8E71-0020AF04B1D7" nocase ascii // 'AutoCAD R14 Document',
$clsid_hex61 = "b005445e7453ce118E710020AF04B1D7" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_PowerpointShow8 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a63 = "64818D10-4F9B-11CF-86EA-00AA00B929E8" nocase ascii // 'Microsoft Powerpoint.Show.8',
$clsid_hex62 = "108d81649b4fcf1186EA00AA00B929E8" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_PowerpointSlide8 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a64 = "64818D11-4F9B-11CF-86EA-00AA00B929E8" nocase ascii // 'Microsoft Powerpoint.Slide.8',
$clsid_hex63 = "118d81649b4fcf1186EA00AA00B929E8" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MSCOMCTLToolbar {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a65 = "66833FE6-8583-11D1-B16A-00C0F0283628" nocase ascii // 'MSCOMCTL.Toolbar (Known Related to CVE-2012-0158 & CVE-2012-1856)',
$clsid_hex64 = "e63f83668385d111B16A00C0F0283628" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AutoCAD2013 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a66 = "6A221957-2D85-42A7-8E19-BE33950D1DEB" nocase ascii // 'AutoCAD 2013 Document',
$clsid_hex65 = "5719226a852da7428E19BE33950D1DEB" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_BCSAddinManageSolutionHelper {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a67 = "6AD4AE40-2FF1-4D88-B27A-F76FC7B40440" nocase ascii // 'BCSAddin.ManageSolutionHelper (potential exploit CVE-2016-0042 / MS16-014)',
$clsid_hex66 = "40aed46af12f884dB27AF76FC7B40440" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_FormsFrame {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a68 = "6E182020-F460-11CE-9BCD-00AA00608E01" nocase ascii // 'Forms.Frame',
$clsid_hex67 = "2020186e60f4ce119BCD00AA00608E01" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MicrosoftVbaAddin {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a69 = "799ED9EA-FB5E-11D1-B7D6-00C04FC2AAE2" nocase ascii // 'Microsoft.VbaAddin (Known Related to CVE-2016-0042)',
$clsid_hex68 = "ead99e795efbd111B7D600C04FC2AAE2" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_StdHlink {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a70 = "79EAC9D0-BAF9-11CE-8C82-00AA004BA90B" nocase ascii // 'StdHlink',
$clsid_hex69 = "d0c9ea79f9bace118C8200AA004BA90B" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_StdHlinkBrowseContext {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a71 = "79EAC9D1-BAF9-11CE-8C82-00AA004BA90B" nocase ascii // 'StdHlinkBrowseContext',
$clsid_hex70 = "d1c9ea79f9bace118C8200AA004BA90B" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_URLMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a72 = "79EAC9E0-BAF9-11CE-8C82-00AA004BA90B" nocase ascii // 'URL Moniker (may trigger CVE-2017-0199, CVE-2017-8570, or CVE-2018-8174)',
$clsid_hex71 = "e0c9ea79f9bace118C8200AA004BA90B" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AsychronousPluggableProtocolHandler_http {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a73 = "79EAC9E2-BAF9-11CE-8C82-00AA004BA90B" nocase ascii // '(http:) Asychronous Pluggable Protocol Handler',
$clsid_hex72 = "e2c9ea79f9bace118C8200AA004BA90B" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AsychronousPluggableProtocolHandler_ftp {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a74 = "79EAC9E3-BAF9-11CE-8C82-00AA004BA90B" nocase ascii // '(ftp:) Asychronous Pluggable Protocol Handler',
$clsid_hex73 = "e3c9ea79f9bace118C8200AA004BA90B" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AsychronousPluggableProtocolHandler_https {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a75 = "79EAC9E5-BAF9-11CE-8C82-00AA004BA90B" nocase ascii // '(https:) Asychronous Pluggable Protocol Handler',
$clsid_hex74 = "e5c9ea79f9bace118C8200AA004BA90B" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AsychronousPluggableProtocolHandler_mk {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a76 = "79EAC9E6-BAF9-11CE-8C82-00AA004BA90B" nocase ascii // '(mk:) Asychronous Pluggable Protocol Handler',
$clsid_hex75 = "e6c9ea79f9bace118C8200AA004BA90B" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AsychronousPluggableProtocolHandler_file {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a77 = "79EAC9E7-BAF9-11CE-8C82-00AA004BA90B" nocase ascii // '(file:, local:) Asychronous Pluggable Protocol Handler',
$clsid_hex76 = "e7c9ea79f9bace118C8200AA004BA90B" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AutoCAD2007 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a78 = "7AABBB95-79BE-4C0F-8024-EB6AF271231C" nocase ascii // 'AutoCAD 2007-2009 Document',
$clsid_hex77 = "95bbab7abe790f4c8024EB6AF271231C" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_scrrundll_jsfile {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a79 = "85131630-480C-11D2-B1F9-00C04F86C324" nocase ascii // 'scrrun.dll - JS File Host Encode Object (ProgID: JSFile.HostEncode)',
$clsid_hex78 = "301613850c48d211B1F900C04F86C324" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_scrrundll_vbsfile {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a80 = "85131631-480C-11D2-B1F9-00C04F86C324" nocase ascii // 'scrrun.dll - VBS File Host Encode Object (ProgID: VBSFile.HostEncode)',
$clsid_hex79 = "311613850c48d211B1F900C04F86C324" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_UmOutlookAddinButtonBar {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a81 = "8627E73B-B5AA-4643-A3B0-570EDA17E3E7" nocase ascii // 'UmOutlookAddin.ButtonBar (potential exploit document CVE-2016-0042 / MS16-014)',
$clsid_hex80 = "3be72786aab54346A3B0570EDA17E3E7" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2DOMDocument50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a82 = "88D969E5-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.DOMDocument.5.0',
$clsid_hex81 = "e569d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2DSOControl50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a83 = "88D969E9-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.DSOControl.5.0',
$clsid_hex82 = "e969d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2FreeThreadedDOMDocument50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a84 = "88D969E6-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.FreeThreadedDOMDocument.5.0',
$clsid_hex83 = "e669d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2MXDigitalSignature50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a85 = "88D969F5-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.MXDigitalSignature.5.0',
$clsid_hex84 = "f569d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2MXHTMLWriter50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a86 = "88D969F0-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.MXHTMLWriter.5.0',
$clsid_hex85 = "f069d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2MXNamespaceManager50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a87 = "88D969F1-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.MXNamespaceManager.5.0',
$clsid_hex86 = "f169d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2MXXMLWriter50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a88 = "88D969EF-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.MXXMLWriter.5.0',
$clsid_hex87 = "ef69d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2SAXAttributes50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a89 = "88D969EE-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.SAXAttributes.5.0',
$clsid_hex88 = "ee69d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2SAXXMLReader50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a90 = "88D969EC-8B8B-4C3D-859E-AF6CD158BE0F" nocase ascii // 'Msxml2.SAXXMLReader.5.0',
$clsid_hex89 = "ec69d9888b8b3d4c859EAF6CD158BE0F" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2ServerXMLHTTP50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a91 = "88D969EB-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.ServerXMLHTTP.5.0',
$clsid_hex90 = "eb69d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2XMLHTTP50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a92 = "88D969EA-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.XMLHTTP.5.0',
$clsid_hex91 = "ea69d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2XMLSchemaCache50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a93 = "88D969E7-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.XMLSchemaCache.5.0',
$clsid_hex92 = "e769d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Msxml2XSLTemplate50 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a94 = "88D969E8-F192-11D4-A65F-0040963251E5" nocase ascii // 'Msxml2.XSLTemplate.5.0',
$clsid_hex93 = "e869d98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_msxml6dll {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a95 = "88D96A0C-F192-11D4-A65F-0040963251E5" nocase ascii // 'SAX XML Reader 6.0 (msxml6.dll)',
$clsid_hex94 = "0c6ad98892f1d411A65F0040963251E5" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AutoCAD2004 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a96 = "8E75D913-3D21-11D2-85C4-080009A0C626" nocase ascii // 'AutoCAD 2004-2006 Document',
$clsid_hex95 = "13d9758e213dd21185C4080009A0C626" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MSCOMCTLTreeCtrl {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a97 = "9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E" nocase ascii // 'MSCOMCTL.TreeCtrl (may trigger CVE-2012-0158)',
$clsid_hex96 = "5fdc81917de08a41ACA68EEA1ECB8E9E" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ELSEXTDLL_2 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a98 = "975797FC-4E2A-11D0-B702-00C04FD8DBF7" nocase ascii // 'Loads ELSEXT.DLL (Known Related to CVE-2015-6128)',
$clsid_hex97 = "fc9757972a4ed011B70200C04FD8DBF7" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MicrosoftForms20 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a99 = "978C9E23-D4B0-11CE-BF2D-00AA003F40D0" nocase ascii // 'Microsoft Forms 2.0 Label (Forms.Label.1)',
$clsid_hex98 = "239e8c97b0d4ce11BF2D00AA003F40D0" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MSCOMCTLListViewCtrl {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a100 = "996BF5E0-8044-4650-ADEB-0B013914E99C" nocase ascii // 'MSCOMCTL.ListViewCtrl (may trigger CVE-2012-0158)',
$clsid_hex99 = "e0f56b9944805046ADEB0B013914E99C" nocase ascii // # Referenced in https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=652438 :
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_VirtualDiskServiceLoader {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a101 = "9C38ED61-D565-4728-AEEE-C80952F0ECDE" nocase ascii // 'Virtual Disk Service Loader - vdsldr.exe (related to MS Office click-to-run issue CVE-2021-27058)',
$clsid_hex100 = "61ed389c65d52847AEEEC80952F0ECDE" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_otkloadrWRAssemblyObject {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a102 = "A08A033D-1A75-4AB6-A166-EAD02F547959" nocase ascii // 'otkloadr WRAssembly Object (can be used to bypass ASLR after triggering an exploit)',
$clsid_hex101 = "3d038aa0751ab64aA166EAD02F547959" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_vbscriptdll {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a103 = "B54F3741-5B07-11CF-A4B0-00AA004A55E8" nocase ascii // 'vbscript.dll - VB Script Language (ProgID: VBS, VBScript)',
$clsid_hex102 = "41374fb5075bcf11A4B000AA004A55E8" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AdobeAcrobatDocument {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a104 = "B801CA65-A1FC-11D0-85AD-444553540000" nocase ascii // 'Adobe Acrobat Document - PDF file',
$clsid_hex103 = "65ca01b8fca1d01185AD444553540000" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MSCOMCTLListViewCtrl_2 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a105 = "BDD1F04B-858B-11D1-B16A-00C0F0283628" nocase ascii // 'MSCOMCTL.ListViewCtrl (may trigger CVE-2012-0158)',
$clsid_hex104 = "4bf0d1bd8b85d111B16A00C0F0283628" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ShellBrowserWindow {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a106 = "C08AFD90-F2A1-11D1-8455-00A0C91F3880" nocase ascii // 'ShellBrowserWindow',
$clsid_hex105 = "90fd8ac0a1f2d111845500A0C91F3880" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_FormsForm {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a107 = "C62A69F0-16DC-11CE-9E98-00AA00574A4F" nocase ascii // 'Forms.Form',
$clsid_hex106 = "f0692ac6dc16ce119E9800AA00574A4F" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MSCOMCTLTreeCtrl_2 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a108 = "C74190B6-8589-11D1-B16A-00C0F0283628" nocase ascii // 'MSCOMCTL.TreeCtrl (may trigger CVE-2012-0158)',
$clsid_hex107 = "b69041c78985d111B16A00C0F0283628" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_UmOutlookAddinRoomsCTP {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a109 = "CCD068CD-1260-4AEA-B040-A87974EB3AEF" nocase ascii // 'UmOutlookAddin.RoomsCTP (potential exploit document CVE-2016-0042 / MS16-014)',
$clsid_hex108 = "cd68d0cc6012ea4aB040A87974EB3AEF" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_osfSandbox {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a110 = "CDDBCC7C-BE18-4A58-9CBF-D62A012272CE" nocase ascii // 'osf.Sandbox (Known Related To CVE-2015-1770)',
$clsid_hex109 = "7cccdbcd18be584a9CBFD62A012272CE" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_UmOutlookAddinInspectorContext {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a111 = "CDF1C8AA-2D25-43C7-8AFE-01F73A3C66DA" nocase ascii // 'UmOutlookAddin.InspectorContext (potential exploit document CVE-2016-0042 / MS16-014)',
$clsid_hex110 = "aac8f1cd252dc7438AFE01F73A3C66DA" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_PowerpointShow12 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a112 = "CF4F55F4-8F87-4D47-80BB-5808164BB3F8" nocase ascii // 'Microsoft Powerpoint.Show.12',
$clsid_hex111 = "f4554fcf878f474d80BB5808164BB3F8" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ShockwaveFlashObject {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a113 = "D27CDB6E-AE6D-11CF-96B8-444553540000" nocase ascii // 'Shockwave Flash Object (may trigger many CVEs)',
$clsid_hex112 = "6edb7cd26daecf1196B8444553540000" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_ShockwaveFlashObject_2 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a114 = "D27CDB70-AE6D-11CF-96B8-444553540000" nocase ascii // 'Shockwave Flash Object (may trigger many CVEs)',
$clsid_hex113 = "70db7cd26daecf1196B8444553540000" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_UmOutlookAddinPlayOnPhoneDlg {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a115 = "D50FED35-0A08-4B17-B3E0-A8DD0EDE375D" nocase ascii // 'UmOutlookAddin.PlayOnPhoneDlg (potential exploit document CVE-2016-0042 / MS16-014)',
$clsid_hex114 = "35ed0fd5080a174bB3E0A8DD0EDE375D" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_Forms20CommandButton {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a116 = "D7053240-CE69-11CD-A777-00DD01143C57" nocase ascii // 'Microsoft Forms 2.0 CommandButton',
$clsid_hex115 = "403205d769cecd11A77700DD01143C57" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_AutoCAD2010 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a117 = "D70E31AD-2614-49F2-B0FC-ACA781D81F3E" nocase ascii // 'AutoCAD 2010-2012 Document',
$clsid_hex116 = "ad310ed71426f249B0FCACA781D81F3E" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_WUAEXTDLL_2 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a118 = "D93CE8B5-3BF8-462C-A03F-DED2730078BA" nocase ascii // 'Loads WUAEXT.DLL (Known Related to CVE-2015-6128)',
$clsid_hex117 = "b5e83cd9f83b2c46A03FDED2730078BA" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MSCOMCTLImageComboCtrl {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a119 = "DD9DA666-8594-11D1-B16A-00C0F0283628" nocase ascii // 'MSCOMCTL.ImageComboCtrl (may trigger CVE-2014-1761)',
$clsid_hex118 = "66a69ddd9485d111B16A00C0F0283628" nocase ascii // # Referenced in https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=652438 :
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_pythoncomloader27dll {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a120 = "DF630910-1C1D-11D0-AE36-8C0F5E000000" nocase ascii // 'pythoncomloader27.dll (related to CVE-2021-27058)',
$clsid_hex119 = "100963df1d1cd011AE368C0F5E000000" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_SilverlightObjects {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a121 = "DFEAF541-F3E1-4C24-ACAC-99C30715084A" nocase ascii // 'Silverlight Objects',
$clsid_hex120 = "41f5eadfe1f3244cACAC99C30715084A" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_InkEdInkEdit {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a122 = "E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4" nocase ascii // 'InkEd.InkEdit',
$clsid_hex121 = "f559cae5c457d84d9BD61DEEEDD27AF4" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MSDAORA1 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a123 = "E8CC4CBE-FDFF-11D0-B865-00A0C9081C1D" nocase ascii // 'MSDAORA.1 (potential exploit CVE TODO)', # TODO
$clsid_hex122 = "be4ccce8fffdd011B86500A0C9081C1D" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_OCIDLL {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a124 = "E8CC4CBF-FDFF-11D0-B865-00A0C9081C1D" nocase ascii // 'Loads OCI.DLL (Known Related to CVE-2015-6128)',
$clsid_hex123 = "bf4ccce8fffdd011B86500A0C9081C1D" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_NewMoniker {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a125 = "ECABAFC6-7F19-11D2-978E-0000F8757E2A" nocase ascii // 'New Moniker',
$clsid_hex124 = "c6afabec197fd211978E0000F8757E2A" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_MQRTDLL {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a126 = "ECABAFC9-7F19-11D2-978E-0000F8757E2A" nocase ascii // 'Loads MQRT.DLL (Known Related to CVE-2015-6128)',
$clsid_hex125 = "c9afabec197fd211978E0000F8757E2A" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_SOMETHING {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a127 = "ECABB0C7-7F19-11D2-978E-0000F8757E2A" nocase ascii // 'SOAP Moniker (may trigger CVE-2017-8759)',
$clsid_hex126 = "c7b0abec197fd211978E0000F8757E2A" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_UmOutlookAddinFormRegionContext {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a128 = "ECF44975-786E-462F-B02A-CBCCB1A2C4A2" nocase ascii // 'UmOutlookAddin.FormRegionContext (potential exploit document CVE-2016-0042 / MS16-014)',
$clsid_hex127 = "7549f4ec6e782f46B02ACBCCB1A2C4A2" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_OLEPackageObject_9 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a129 = "F20DA720-C02F-11CE-927B-0800095AE340" nocase ascii // 'OLE Package Object (may contain and run any file)',
$clsid_hex128 = "20a70df22fc0ce11927B0800095AE340" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_jscriptdll {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a130 = "F414C260-6AC0-11CF-B6D1-00AA00BBBB58" nocase ascii // 'jscript.dll - JScript Language (ProgID: ECMAScript, JavaScript, JScript, LiveScript)',
$clsid_hex129 = "60c214f4c06acf11B6D100AA00BBBB58" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_WordDocument12 {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a131 = "F4754C9B-64F5-4B40-8AF4-679732AC0607" nocase ascii // 'Microsoft Word Document (Word.Document.12)',
$clsid_hex130 = "9b4c75f4f564404b8AF4679732AC0607" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
rule Methodology_RTFEngine_OLE_CLSID_UmOutlookAddinFormRegionAddin {
meta:
author = "stvemillertime"
description = "RTFEngine looks for RTF anomalies, here, looking for RTF with OLEs and particular CLSIDs."
strings:
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
$clsid_a132 = "F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3" nocase ascii // 'UmOutlookAddin.FormRegionAddin (potential exploit document CVE-2016-0042 / MS16-014)',
$clsid_hex131 = "bbdb59f96738f2418E5F3B8BEFAA81B3" nocase ascii
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and 1 of ($embedded*) and 1 of ($clsid*)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment