Sneed-Reactivity/yara-Neo23x0/gen_maldoc.yar

17 lines
644 B
Text
Raw Permalink Normal View History

rule SUSP_Doc_WindowsInstaller_Call_Feb22_1 {
meta:
author = "Nils Kuhnert"
date = "2022-02-26"
description = "Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts."
tlp = "white"
reference = "https://inquest.net/blog/2022/02/24/dangerously-thinbasic"
reference2 = "https://twitter.com/threatinsight/status/1497355737844133895"
id = "8f2e8f91-74e0-5574-9c0a-1479d6114212"
strings:
$ = "WindowsInstaller.Installer$"
$ = "CreateObject"
$ = "InstallProduct"
condition:
uint32be(0) == 0xd0cf11e0 and all of them
}