08e8d462fe
RED PILL 🔴 💊
20 lines
No EOL
761 B
Text
20 lines
No EOL
761 B
Text
rule MACROCHECK
|
|
{
|
|
meta:
|
|
description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
|
|
author = "Fireeye Labs"
|
|
version = "1.0"
|
|
|
|
strings:
|
|
$PARAMpword = "pword=" ascii wide
|
|
$PARAMmsg = "msg=" ascii wide
|
|
$PARAMuname = "uname=" ascii
|
|
$userform = "UserForm" ascii wide
|
|
$userloginform = "UserLoginForm" ascii wide
|
|
$invalid = "Invalid username or password" ascii wide
|
|
$up1 = "uploadPOST" ascii wide
|
|
$up2 = "postUpload" ascii wide
|
|
|
|
condition:
|
|
all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
|
|
} |