24 lines
744 B
Text
24 lines
744 B
Text
rule potential_CVE_2017_11882
|
|
{
|
|
meta:
|
|
author = "ReversingLabs"
|
|
reference = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html"
|
|
|
|
strings:
|
|
$docfilemagic = { D0 CF 11 E0 A1 B1 1A E1 }
|
|
|
|
$equation1 = "Equation Native" wide ascii
|
|
$equation2 = "Microsoft Equation 3.0" wide ascii
|
|
|
|
$mshta = "mshta"
|
|
$http = "http://"
|
|
$https = "https://"
|
|
$cmd = "cmd"
|
|
$pwsh = "powershell"
|
|
$exe = ".exe"
|
|
|
|
$address = { 12 0C 43 00 }
|
|
|
|
condition:
|
|
$docfilemagic at 0 and any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address
|
|
}
|