18 lines
496 B
Text
18 lines
496 B
Text
|
rule SUSP_ThemeBleed_Theme_Sep23 {
|
||
|
meta:
|
||
|
description = "Detects domain or IP placement in Windows theme files"
|
||
|
author = "@m_haggis, @nas_bench"
|
||
|
date = "2023-09-13"
|
||
|
reference = "https://github.com/gabe-k/themebleed"
|
||
|
score = 75
|
||
|
|
||
|
id = "76d0042b-655d-5d03-bcc4-150ebc92eb43"
|
||
|
strings:
|
||
|
$s1 = /Path=\\\\[0-9a-zA-Z\.-]{1,20}\\/
|
||
|
$s2 = "[VisualStyles]"
|
||
|
$s3 = "[Theme]"
|
||
|
|
||
|
condition:
|
||
|
filesize < 1MB and all of them
|
||
|
}
|