Sneed-Reactivity/yara-Neo23x0/apt_unc1151_ua.yar

16 lines
773 B
Text
Raw Normal View History

rule APT_UNC1151_WindowsInstaller_Silent_InstallProduct_MacroMethod {
meta:
author = "Proofpoint Threat Research"
date = "2021-07-28"
hash1 = "1561ece482c78a2d587b66c8eaf211e806ff438e506fcef8f14ae367db82d9b3"
hash2 = "a8fd0a5de66fa39056c0ddf2ec74ccd38b2ede147afa602aba00a3f0b55a88e0"
reference = "Thttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails"
id = "9ae80d54-33b9-55d7-957f-0738243e089f"
strings:
$doc_header = {D0 CF 11 E0 A1 B1 1A E1}
$s1 = ".UILevel = 2"
$s2 = "CreateObject(\"WindowsInstaller.Installer\")"
$s3 = ".InstallProduct \"http"
condition:
$doc_header at 0 and all of ($s*)
}