Sneed-Reactivity/yara-Neo23x0/exploit_tlb_scripts.yar

20 lines
713 B
Text
Raw Permalink Normal View History

rule EXPL_Exploit_TLB_Scripts {
meta:
description = "Detects malicious TLB files which may be delivered via Visual Studio projects"
author = "Rich Warren (slightly modified by Florian Roth)"
reference = "https://github.com/outflanknl/Presentations/blob/master/Nullcon2020_COM-promise_-_Attacking_Windows_development_environments.pdf"
date = "2021-01-26"
id = "5151458e-4c30-50ff-a39e-e5b5b68b87aa"
strings:
$a = ".sct" ascii nocase
$b = "script:" ascii nocase
$c = "scriptlet:" ascii nocase
$d = "soap:" ascii nocase
$e = "winmgmts:" ascii nocase
condition:
uint32be(0) == 0x4D534654 and
filesize < 100KB and
any of them
}