16 lines
773 B
Text
16 lines
773 B
Text
|
rule APT_UNC1151_WindowsInstaller_Silent_InstallProduct_MacroMethod {
|
||
|
meta:
|
||
|
author = "Proofpoint Threat Research"
|
||
|
date = "2021-07-28"
|
||
|
hash1 = "1561ece482c78a2d587b66c8eaf211e806ff438e506fcef8f14ae367db82d9b3"
|
||
|
hash2 = "a8fd0a5de66fa39056c0ddf2ec74ccd38b2ede147afa602aba00a3f0b55a88e0"
|
||
|
reference = "Thttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails"
|
||
|
id = "9ae80d54-33b9-55d7-957f-0738243e089f"
|
||
|
strings:
|
||
|
$doc_header = {D0 CF 11 E0 A1 B1 1A E1}
|
||
|
$s1 = ".UILevel = 2"
|
||
|
$s2 = "CreateObject(\"WindowsInstaller.Installer\")"
|
||
|
$s3 = ".InstallProduct \"http"
|
||
|
condition:
|
||
|
$doc_header at 0 and all of ($s*)
|
||
|
}
|