valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
97308ea71e
signature-base/yara/gen_dde_in_office_docs.yar

57 lines
1.6 KiB
Plaintext
Raw Normal View History

Improved DDE in Office documents rules by NVISO Labs
2017-10-25 21:44:30 +00:00
Decting DDE in Office Docs - Sigs by NVISO Labs https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
2017-10-11 12:10:38 +00:00
// YARA rules Office DDE
Improved DDE in Office documents rules by NVISO Labs
2017-10-25 21:44:30 +00:00
// NVISO 2017/10/10 - 2017/10/12
Decting DDE in Office Docs - Sigs by NVISO Labs https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
2017-10-11 12:10:38 +00:00
// https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
rule Office_DDEAUTO_field {
meta:
description = "Detects DDE in MS Office documents"
author = "NVISO Labs"
reference = "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/"
Improved DDE in Office documents rules by NVISO Labs
2017-10-25 21:44:30 +00:00
date = "2017-10-12"
score = 60
Decting DDE in Office Docs - Sigs by NVISO Labs https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
2017-10-11 12:10:38 +00:00
strings:
Improved DDE in Office documents rules by NVISO Labs
2017-10-25 21:44:30 +00:00
$a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee][Aa][Uu][Tt][Oo]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/
Decting DDE in Office Docs - Sigs by NVISO Labs https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
2017-10-11 12:10:38 +00:00
condition:
$a
}
rule Office_DDE_field {
meta:
description = "Detects DDE in MS Office documents"
author = "NVISO Labs"
reference = "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/"
Improved DDE in Office documents rules by NVISO Labs
2017-10-25 21:44:30 +00:00
date = "2017-10-12"
score = 40
Decting DDE in Office Docs - Sigs by NVISO Labs https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
2017-10-11 12:10:38 +00:00
strings:
Improved DDE in Office documents rules by NVISO Labs
2017-10-25 21:44:30 +00:00
$a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/
Decting DDE in Office Docs - Sigs by NVISO Labs https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
2017-10-11 12:10:38 +00:00
condition:
$a
}
Improved DDE in Office documents rules by NVISO Labs
2017-10-25 21:44:30 +00:00
rule Office_OLE_DDEAUTO {
meta:
description = "Detects DDE in MS Office documents"
author = "NVISO Labs"
reference = "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/"
date = "2017-10-12"
score = 50
strings:
$a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase
condition:
uint32be(0) == 0xD0CF11E0 and $a
}
rule Office_OLE_DDE {
meta:
description = "Detects DDE in MS Office documents"
author = "NVISO Labs"
reference = "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/"
date = "2017-10-12"
score = 50
strings:
$a = /\x13\s*DDE\b[^\x14]+/ nocase
condition:
uint32be(0) == 0xD0CF11E0 and $a
}
Reference in New Issue Copy Permalink