Sneed-Reactivity/yara-Neo23x0/gen_excel_xll_addin_suspicious.yar

65 lines
3.4 KiB
Text
Raw Normal View History

import "pe"
rule gen_Excel_xll_addin_suspicious
{
meta:
description = "Detects suspicious XLL add-ins to Excel"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "@JohnLaTwC"
date = "2020-10-16"
reference1="https://twitter.com/JohnLaTwC/status/1315287078855352326"
reference2="https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/"
reference3="https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52"
hash1="0bad4e4bc5093dcfc2737c4d8be89d6f093509a7b91a1e022050cb890d90e4e0"
hash2="133e47eedfede46d1a4529ce7f047e09521ed8c7cad2e49d3522064695bd6c43"
hash3="1994a39d5639b4eea5c3cdf084a8eacf8610a96702e580d88a6ec18887d0ec6b"
hash4="28f45d01e397841fcba48da1e61e4927f42ff6fe6f32595c23cf9a953cd2658a"
hash5="54c3598cf22ad64faeb4e0f9f70e026a1ae834a8c06e5187bf289bb3ee43a8ec"
hash6="5644a04513744edfb247d0ea83e3e2f7d616d6752cfd1af50e866bb0270131ee"
hash7="836c0d21fc3ea3a8ce1a493097a5034d110e5c50bfd7e6c3dcb674dc7a6a19ec"
hash8="b926f7db36bc5bae73091c783b0715d2af051de22a579548adf2498cb1a1d075"
hash9="6ba100a5da5efea14a5ca929628b732a6e6b8ab8f78167db35343e895997ce52"
hasha="ee603cbd6187850334ae5d8adcf029d5cde710fc966b2b7a2c95249d3b23d693"
hashb="99195679e998407fd4d606a0d956bda99f79625b638c63f90d9d399c6f2a143e"
hashc="99534c7086128998ae39967fe5fc6bf526cb2ba5d3b2e99dc7bd03833e4a94ae"
id = "013db759-ab9d-5505-933b-bda702a0941e"
strings:
$s1 = "CryptStringToBinaryA"
$s2 = "NtQueueApcThread"
$cs1 = "dsrole.dll"
$cs2 = "user32.dll"
$debug = "SeDebugPrivilege"
condition:
filesize < 1MB
and uint16(0) == 0x5a4d
and pe.characteristics & pe.DLL
and pe.exports("xlAutoOpen")
and (
((pe.imports("KERNEL32.dll", "LookupPrivilegeValueW") or pe.imports("KERNEL32.dll", "LookupPrivilegeValueA"))
and pe.imports("KERNEL32.dll", "AdjustTokenPrivileges")
and pe.imports("KERNEL32.dll", "OpenProcess")
and $debug)
or (pe.imports("ADVAPI32.dll", "CryptDecrypt")
and pe.imports("ADVAPI32.dll", "CryptImportKey"))
or (pe.imports("DNSAPI.dll", "DnsQuery_A") or pe.imports("DNSAPI.dll", "DnsQuery_W"))
or ((pe.imports("KERNEL32.dll", "FindResourceA") or pe.imports("KERNEL32.dll", "FindResourceW"))
and pe.imports("KERNEL32.dll", "LoadResource")
and pe.imports("KERNEL32.dll", "LockResource")
and (pe.imports("KERNEL32.dll", "VirtualAlloc") or pe.imports("KERNEL32.dll", "VirtualAllocEx"))
and pe.imports("KERNEL32.dll", "WriteProcessMemory")
and pe.imports("KERNEL32.dll", "SetThreadContext"))
or (pe.imports("KERNEL32.dll", "GetThreadContext")
and pe.imports("KERNEL32.dll", "VirtualAllocEx")
and pe.imports("KERNEL32.dll", "ResumeThread")
and pe.imports("KERNEL32.dll", "SetThreadContext"))
or (pe.imports("KERNEL32.dll", "WinExec"))
or (all of ($s*))
or (all of ($cs*) and pe.imports("KERNEL32.dll", "VirtualAllocEx")
and pe.imports("KERNEL32.dll", "TerminateProcess")
and pe.imports("KERNEL32.dll", "Sleep"))
)
}