Sneed-Reactivity/yara-Neo23x0/exploit_cve_2023_38146.yar

18 lines
496 B
Text
Raw Normal View History

rule SUSP_ThemeBleed_Theme_Sep23 {
meta:
description = "Detects domain or IP placement in Windows theme files"
author = "@m_haggis, @nas_bench"
date = "2023-09-13"
reference = "https://github.com/gabe-k/themebleed"
score = 75
id = "76d0042b-655d-5d03-bcc4-150ebc92eb43"
strings:
$s1 = /Path=\\\\[0-9a-zA-Z\.-]{1,20}\\/
$s2 = "[VisualStyles]"
$s3 = "[Theme]"
condition:
filesize < 1MB and all of them
}