08e8d462fe
RED PILL 🔴 💊
26 lines
1.1 KiB
Text
26 lines
1.1 KiB
Text
rule IQY_File_With_Pivot_Extension_URL
|
|
{
|
|
meta:
|
|
Author = "InQuest Labs"
|
|
Reference = "http://blog.inquest.net/blog/2018/08/23/hunting-iqy-files-with-yara/"
|
|
Description = "Detect Excel IQY files with URLs that contain commonly used malicious file extensions that may act as a pivot to a secondary stage."
|
|
Severity = "9"
|
|
strings:
|
|
/*
|
|
match WEB on the first line of a file
|
|
takes into account potential whitespace before or after case-insensitive "WEB" string
|
|
*/
|
|
$web = /^[ \t]*WEB[ \t]*(\x0A|\x0D\x0A)/ nocase
|
|
|
|
/*
|
|
generic URL to direct download a file containing a potentially malicious extension.
|
|
File extensions were decided based upon common extensions seen in the wild
|
|
The extension list can be expanded upon as new information comes available from matches
|
|
on the Stage 1 or Stage 2 signatures
|
|
*/
|
|
|
|
$url = /https?:\/\/[\w\.\/]+\.(scr|exe|hta|vbs|ps1|bat|dat|rar|zip|ace)/ nocase
|
|
|
|
condition:
|
|
$web at 0 and $url
|
|
}
|