valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
bfc4ba4970
signature-base/yara/gen_susp_cmd_var_expansion.yar

14 lines
400 B
Plaintext
Raw Normal View History

Suspicious CMD Var expansion in Office Docs
2018-09-28 11:29:35 +00:00
rule SUSP_CMD_Var_Expansion {
meta:
description = "Detects Office droppers that include a variable expansion string"
author = "Florian Roth"
reference = "https://twitter.com/asfakian/status/1044859525675843585"
date = "2018-09-26"
score = 60
strings:
$a1 = " /V:ON" ascii wide fullword
condition:
uint16(0) == 0xcfd0 and filesize < 500KB and $a1
}
Reference in New Issue Copy Permalink