Sneed-Reactivity/yara-Neo23x0/expl_keepass_cve_2023_24055.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

37 lines
1.3 KiB
Text

rule EXPL_Keepass_CVE_2023_24055_Jan23 {
meta:
description = "Detects suspicious entries in the Keepass configuration file, which could be indicator of the exploitation of CVE-2023-24055"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/alt3kx/CVE-2023-24055_PoC"
date = "2023-01-25"
score = 75
id = "2c031919-da19-5fd0-b21a-2e83679ad1e3"
strings:
$a1 = "<TriggerCollection xmlns:xsi=" ascii wide
$x1 = "<Parameter>KeePass XML (2.x)</Parameter>"
$x2 = "::ReadAllBytes("
$x3 = " -Method "
$x4 = " bypass "
$x5 = "powershell" nocase ascii wide fullword
condition:
filesize < 200KB and $a1 and 1 of ($x*)
}
rule SUSP_Keepass_CVE_2023_24055_Jan23 {
meta:
description = "Detects suspicious triggers defined in the Keepass configuration file, which could be indicator of the exploitation of CVE-2023-24055"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/alt3kx/CVE-2023-24055_PoC"
date = "2023-01-25"
score = 60
id = "4ff1a93f-f7f0-528d-9e07-402e321a0ffe"
strings:
$a1 = "<TriggerCollection xmlns:xsi=" ascii wide
$s1 = "<Action>" ascii wide
$s2 = "<Parameter>" ascii wide
condition:
filesize < 200KB and $a1 and all of ($s*)
}