valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Regsvr32 issue signature

Browse Source
This commit is contained in:
Florian Roth 2016-04-26 10:05:17 +02:00
parent e3f04a6e71
commit c7d168f5f9
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
yara/gen_regsrv32_issue.yar Normal file
View File

@ -0,0 +1,23 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-04-26
Identifier: regsvr32 issue
*/
/* Rule Set ----------------------------------------------------------------- */
rule SCT_Scriptlet_in_Temp_Inet_Files {
meta:
description = "Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass)"
author = "Florian Roth"
reference = "http://goo.gl/KAB8Jw"
date = "2016-04-26"
strings:
$s1 = "<scriptlet>" fullword ascii nocase
$s2 = "ActiveXObject(\"WScript.Shell\")" ascii
condition:
( uint32(0) == 0x4D583F3C or uint32(0) == 0x6D78F3C ) /* <?XM or <?xm */
and $s1 and $s2
and filepath contains "Temporary Internet Files"
}