valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Changed OLE2Link signature

Browse Source
This commit is contained in:
Florian Roth 2017-04-12 19:11:36 +02:00
parent 2245f5d7cb
commit b496ed91a6
1 changed files with 40 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
yara/exploit_rtf_ole2link.yar
View File

@ -1,7 +1,6 @@
rule malrtf_ole2link : exploit { rule malrtf_ole2link : exploit {
meta: meta:
author = "@h3x2b <tracker _AT h3x.eu>" author = "@h3x2b <tracker _AT h3x.eu>"
date = "2017/04/12"
description = "Detect weaponized RTF documents with OLE2Link exploit" description = "Detect weaponized RTF documents with OLE2Link exploit"
strings: strings:
//having objdata structure //having objdata structure
@ -22,16 +21,44 @@ rule malrtf_ole2link : exploit {
and any of ($rtf_payload_*) and any of ($rtf_payload_*)
} }
rule rtf_objdata_urlmoniker_http { rule exploit_ole_stdolelink {
meta: meta:
author = "@nvisio_labs" author = "David Cannings"
description = "Detects malicious RTF / OLE2link plus URL Moniker" description = "StdOleLink, potential 0day in April 2017"
date = "2017/04/12"
reference = "https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/" strings:
strings: // Parsers will open files without the full 'rtf'
$objdata = "objdata 0105000002000000" nocase $header_rtf = "{\\rt" nocase
$urlmoniker = "E0C9EA79F9BACE118C8200AA004BA90B" nocase $header_office = { D0 CF 11 E0 }
$http = "68007400740070003a002f002f00" nocase $header_xml = "<?xml version=" nocase wide ascii
condition:
uint32be(0) == 0x7B5C7274 and $objdata and $urlmoniker and $http // Marks of embedded data (reduce FPs)
// RTF format
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
// XML Office documents
$embedded_axocx = "<ax:ocx" nocase wide ascii
$embedded_axclassid = "ax:classid" nocase wide ascii
// OLE format
$embedded_root_entry = "Root Entry" wide
$embedded_comp_obj = "Comp Obj" wide
$embedded_obj_info = "Obj Info" wide
$embedded_ole10 = "Ole10Native" wide
$data0 = "00000300-0000-0000-C000-000000000046" nocase wide ascii
$data1 = { 0003000000000000C000000000000046 }
$data2 = "OLE2Link" nocase wide ascii
$data3 = "4f4c45324c696e6b" nocase wide ascii
$data4 = "StdOleLink" nocase wide ascii
$data5 = "5374644f6c654c696e6b" nocase wide ascii
condition:
// Mandatory header plus sign of embedding, then any of the others
for any of ($header*) : ( @ == 0 ) and 1 of ($embedded*)
and (1 of ($data*))
} }