Sneed-Reactivity/yara-Neo23x0/exploit_tlb_scripts.yar


rule EXPL_Exploit_TLB_Scripts {
   meta:
      description = "Detects malicious TLB files which may be delivered via Visual Studio projects"
      author = "Rich Warren (slightly modified by Florian Roth)"
      reference = "https://github.com/outflanknl/Presentations/blob/master/Nullcon2020_COM-promise_-_Attacking_Windows_development_environments.pdf"
      date = "2021-01-26"
      id = "5151458e-4c30-50ff-a39e-e5b5b68b87aa"
   strings:
      $a = ".sct" ascii nocase
      $b = "script:" ascii nocase
      $c = "scriptlet:" ascii nocase
      $d = "soap:" ascii nocase
      $e = "winmgmts:" ascii nocase
   condition:
      uint32be(0) == 0x4D534654 and 
      filesize < 100KB and 
      any of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule EXPL_Exploit_TLB_Scripts {`
			`meta:`
			`description = "Detects malicious TLB files which may be delivered via Visual Studio projects"`
			`author = "Rich Warren (slightly modified by Florian Roth)"`
			`reference = "https://github.com/outflanknl/Presentations/blob/master/Nullcon2020_COM-promise_-_Attacking_Windows_development_environments.pdf"`
			`date = "2021-01-26"`
			`id = "5151458e-4c30-50ff-a39e-e5b5b68b87aa"`
			`strings:`
			`$a = ".sct" ascii nocase`
			`$b = "script:" ascii nocase`
			`$c = "scriptlet:" ascii nocase`
			`$d = "soap:" ascii nocase`
			`$e = "winmgmts:" ascii nocase`
			`condition:`
			`uint32be(0) == 0x4D534654 and`
			`filesize < 100KB and`
			`any of them`
			`}`