Sneed-Reactivity/yara-mikesxrs/patrickrolsen/LNK_files.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

20 lines
473 B
Text

rule malicious_LNK_files
{
strings:
$magic = {4C 00 00 00 01 14 02 00} // L.......
$s1 = "\\RECYCLER\\" wide
$s2 = "%temp%" wide
$s3 = "%systemroot%\\system32\\cmd.exe" wide
//$s4 = "./start" wide
$s5 = "svchost.exe" wide
$s6 = "lsass.exe" wide
$s7 = "csrss.exe" wide
$s8 = "winlogon.exe" wide
//$s9 = "%cd%" wide
$s10 = "%appdata%" wide
$s11 = "%programdata%" wide
$s12 = "%localappdata%" wide
$s13 = ".cpl" wide
condition:
($magic at 0) and any of ($s*)
}