16 lines
644 B
Text
16 lines
644 B
Text
rule SUSP_Doc_WindowsInstaller_Call_Feb22_1 {
|
|
meta:
|
|
author = "Nils Kuhnert"
|
|
date = "2022-02-26"
|
|
description = "Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts."
|
|
tlp = "white"
|
|
reference = "https://inquest.net/blog/2022/02/24/dangerously-thinbasic"
|
|
reference2 = "https://twitter.com/threatinsight/status/1497355737844133895"
|
|
id = "8f2e8f91-74e0-5574-9c0a-1479d6114212"
|
|
strings:
|
|
$ = "WindowsInstaller.Installer$"
|
|
$ = "CreateObject"
|
|
$ = "InstallProduct"
|
|
condition:
|
|
uint32be(0) == 0xd0cf11e0 and all of them
|
|
}
|