257 lines
9.3 KiB
Text
257 lines
9.3 KiB
Text
rule SUSP_PS1_Msdt_Execution_May22 {
|
|
meta:
|
|
description = "Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation"
|
|
author = "Nasreddine Bencherchali, Christian Burkard"
|
|
date = "2022-05-31"
|
|
modified = "2022-07-08"
|
|
reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
|
|
score = 75
|
|
id = "caa8a042-ffd4-52b2-a9f0-86e6c83a0aa3"
|
|
strings:
|
|
$a = "PCWDiagnostic" ascii wide fullword
|
|
$sa1 = "msdt.exe" ascii wide
|
|
$sa2 = "msdt " ascii wide
|
|
$sa3 = "ms-msdt" ascii wide
|
|
|
|
$sb1 = "/af " ascii wide
|
|
$sb2 = "-af " ascii wide
|
|
$sb3 = "IT_BrowseForFile=" ascii wide
|
|
|
|
/* OriginalFilename pcwrun.exe */
|
|
$fp1 = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00
|
|
46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00
|
|
00 00 70 00 63 00 77 00 72 00 75 00 6E 00 2E 00
|
|
65 00 78 00 65 00 }
|
|
$fp2 = "FilesFullTrust" wide
|
|
condition:
|
|
filesize < 10MB
|
|
and $a
|
|
and 1 of ($sa*)
|
|
and 1 of ($sb*)
|
|
and not 1 of ($fp*)
|
|
}
|
|
|
|
rule SUSP_Doc_WordXMLRels_May22 {
|
|
meta:
|
|
description = "Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation"
|
|
author = "Tobias Michalski, Christian Burkard, Wojciech Cieslak"
|
|
date = "2022-05-30"
|
|
modified = "2022-06-20"
|
|
reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
|
|
hash = "62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0"
|
|
score = 70
|
|
id = "304c4816-b2f6-5319-9fe9-8f74bdb82ad0"
|
|
strings:
|
|
$a1 = "<Relationships" ascii
|
|
$a2 = "TargetMode=\"External\"" ascii
|
|
|
|
$x1 = ".html!" ascii
|
|
$x2 = ".htm!" ascii
|
|
$x3 = "%2E%68%74%6D%6C%21" ascii /* encoded version of .html! */
|
|
$x4 = "%2E%68%74%6D%21" ascii /* encoded version of .htm! */
|
|
condition:
|
|
filesize < 50KB
|
|
and all of ($a*)
|
|
and 1 of ($x*)
|
|
}
|
|
|
|
rule SUSP_Doc_RTF_ExternalResource_May22 {
|
|
meta:
|
|
description = "Detects a suspicious pattern in RTF files which downloads external resources as seen in CVE-2022-30190 / Follina exploitation"
|
|
author = "Tobias Michalski, Christian Burkard"
|
|
date = "2022-05-30"
|
|
modified = "2022-05-31"
|
|
reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
|
|
score = 70
|
|
id = "71bb97e0-ec12-504c-a1f6-25039ac91c86"
|
|
strings:
|
|
$s1 = " LINK htmlfile \"http" ascii
|
|
$s2 = ".html!\" " ascii
|
|
condition:
|
|
uint32be(0) == 0x7B5C7274 and
|
|
filesize < 300KB and
|
|
all of them
|
|
}
|
|
|
|
rule EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 {
|
|
meta:
|
|
description = "Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation"
|
|
author = "Tobias Michalski, Christian Burkard"
|
|
date = "2022-05-30"
|
|
modified = "2022-07-18"
|
|
reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
|
|
hash1 = "4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784"
|
|
hash2 = "778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07"
|
|
score = 80
|
|
id = "62e67c25-a420-5dac-9d1c-b0648ea6b574"
|
|
strings:
|
|
$re1 = /location\.href\s{0,20}=\s{0,20}"ms-msdt:/
|
|
$a1 = "%6D%73%2D%6D%73%64%74%3A%2F" ascii /* URL encoded "ms-msdt:/" */
|
|
condition:
|
|
filesize > 3KB and
|
|
filesize < 100KB and
|
|
1 of them
|
|
}
|
|
|
|
rule SUSP_Doc_RTF_OLE2Link_Jun22 {
|
|
meta:
|
|
description = "Detects a suspicious pattern in RTF files which downloads external resources"
|
|
author = "Christian Burkard"
|
|
date = "2022-06-01"
|
|
reference = "Internal Research"
|
|
hash = "4abc20e5130b59639e20bd6b8ad759af18eb284f46e99a5cc6b4f16f09456a68"
|
|
score = 75
|
|
id = "e9c83d58-6214-51d5-882a-4bd2ed6acc9a"
|
|
strings:
|
|
$sa = "\\objdata" ascii nocase
|
|
|
|
$sb1 = "4f4c45324c696e6b" ascii /* OLE2Link */
|
|
$sb2 = "4F4C45324C696E6B" ascii
|
|
|
|
$sc1 = "d0cf11e0a1b11ae1" ascii /* docfile magic - doc file albilae */
|
|
$sc2 = "D0CF11E0A1B11AE1" ascii
|
|
|
|
$x1 = "68007400740070003a002f002f00" ascii /* http:// */
|
|
$x2 = "68007400740070003A002F002F00" ascii
|
|
$x3 = "680074007400700073003a002f002f00" ascii /* https:// */
|
|
$x4 = "680074007400700073003A002F002F00" ascii
|
|
$x5 = "6600740070003a002f002f00" ascii /* ftp:// */
|
|
$x6 = "6600740070003A002F002F00" ascii
|
|
/* TODO: more protocols */
|
|
condition:
|
|
( uint32be(0) == 0x7B5C7274 or uint32be(0) == 0x7B5C2A5C ) /* RTF */
|
|
and $sa
|
|
and 1 of ($sb*)
|
|
and 1 of ($sc*)
|
|
and 1 of ($x*)
|
|
}
|
|
|
|
rule SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22 {
|
|
meta:
|
|
description = "Detects a suspicious pattern in RTF files which downloads external resources inside e-mail attachments"
|
|
author = "Christian Burkard"
|
|
date = "2022-06-01"
|
|
reference = "Internal Research"
|
|
hash = "4abc20e5130b59639e20bd6b8ad759af18eb284f46e99a5cc6b4f16f09456a68"
|
|
score = 75
|
|
id = "48cde505-3ce4-52ef-b338-0c08ac4f63de"
|
|
strings:
|
|
/* \objdata" */
|
|
$sa1 = "XG9iamRhdG" ascii
|
|
$sa2 = "xvYmpkYXRh" ascii
|
|
$sa3 = "cb2JqZGF0Y" ascii
|
|
|
|
/* OLE2Link */
|
|
$sb1 = "NGY0YzQ1MzI0YzY5NmU2Y" ascii
|
|
$sb2 = "RmNGM0NTMyNGM2OTZlNm" ascii
|
|
$sb3 = "0ZjRjNDUzMjRjNjk2ZTZi" ascii
|
|
$sb4 = "NEY0QzQ1MzI0QzY5NkU2Q" ascii
|
|
$sb5 = "RGNEM0NTMyNEM2OTZFNk" ascii
|
|
$sb6 = "0RjRDNDUzMjRDNjk2RTZC" ascii
|
|
|
|
/* docfile magic - doc file albilae */
|
|
$sc1 = "ZDBjZjExZTBhMWIxMWFlM" ascii
|
|
$sc2 = "QwY2YxMWUwYTFiMTFhZT" ascii
|
|
$sc3 = "kMGNmMTFlMGExYjExYWUx" ascii
|
|
$sc4 = "RDBDRjExRTBBMUIxMUFFM" ascii
|
|
$sc5 = "QwQ0YxMUUwQTFCMTFBRT" ascii
|
|
$sc6 = "EMENGMTFFMEExQjExQUUx" ascii
|
|
|
|
/* http:// */
|
|
$x1 = "NjgwMDc0MDA3NDAwNzAwMDNhMDAyZjAwMmYwM" ascii
|
|
$x2 = "Y4MDA3NDAwNzQwMDcwMDAzYTAwMmYwMDJmMD" ascii
|
|
$x3 = "2ODAwNzQwMDc0MDA3MDAwM2EwMDJmMDAyZjAw" ascii
|
|
$x4 = "NjgwMDc0MDA3NDAwNzAwMDNBMDAyRjAwMkYwM" ascii
|
|
$x5 = "Y4MDA3NDAwNzQwMDcwMDAzQTAwMkYwMDJGMD" ascii
|
|
$x6 = "2ODAwNzQwMDc0MDA3MDAwM0EwMDJGMDAyRjAw" ascii
|
|
/* https:// */
|
|
$x7 = "NjgwMDc0MDA3NDAwNzAwMDczMDAzYTAwMmYwMDJmMD" ascii
|
|
$x8 = "Y4MDA3NDAwNzQwMDcwMDA3MzAwM2EwMDJmMDAyZjAw" ascii
|
|
$x9 = "2ODAwNzQwMDc0MDA3MDAwNzMwMDNhMDAyZjAwMmYwM" ascii
|
|
$x10 = "NjgwMDc0MDA3NDAwNzAwMDczMDAzQTAwMkYwMDJGMD" ascii
|
|
$x11 = "Y4MDA3NDAwNzQwMDcwMDA3MzAwM0EwMDJGMDAyRjAw" ascii
|
|
$x12 = "2ODAwNzQwMDc0MDA3MDAwNzMwMDNBMDAyRjAwMkYwM" ascii
|
|
/* ftp:// */
|
|
$x13 = "NjYwMDc0MDA3MDAwM2EwMDJmMDAyZjAw" ascii
|
|
$x14 = "Y2MDA3NDAwNzAwMDNhMDAyZjAwMmYwM" ascii
|
|
$x15 = "2NjAwNzQwMDcwMDAzYTAwMmYwMDJmMD" ascii
|
|
$x16 = "NjYwMDc0MDA3MDAwM0EwMDJGMDAyRjAw" ascii
|
|
$x17 = "Y2MDA3NDAwNzAwMDNBMDAyRjAwMkYwM" ascii
|
|
$x18 = "2NjAwNzQwMDcwMDAzQTAwMkYwMDJGMD" ascii
|
|
/* TODO: more protocols */
|
|
condition:
|
|
filesize < 10MB
|
|
and 1 of ($sa*)
|
|
and 1 of ($sb*)
|
|
and 1 of ($sc*)
|
|
and 1 of ($x*)
|
|
}
|
|
|
|
rule SUSP_DOC_RTF_ExternalResource_EMAIL_Jun22 {
|
|
meta:
|
|
description = "Detects a suspicious pattern in RTF files which downloads external resources as seen in CVE-2022-30190 / Follina exploitation inside e-mail attachment"
|
|
author = "Christian Burkard"
|
|
date = "2022-06-01"
|
|
reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
|
|
score = 70
|
|
id = "3ddc838c-8520-5572-9652-8cb823f83e27"
|
|
strings:
|
|
/* <Relationships */
|
|
$sa1 ="PFJlbGF0aW9uc2hpcH" ascii
|
|
$sa2 ="xSZWxhdGlvbnNoaXBz" ascii
|
|
$sa3 ="8UmVsYXRpb25zaGlwc" ascii
|
|
/* TargetMode="External" */
|
|
$sb1 ="VGFyZ2V0TW9kZT0iRXh0ZXJuYWwi" ascii
|
|
$sb2 ="RhcmdldE1vZGU9IkV4dGVybmFsI" ascii
|
|
$sb3 ="UYXJnZXRNb2RlPSJFeHRlcm5hbC" ascii
|
|
/* .html!" */
|
|
$sc1 ="Lmh0bWwhI" ascii
|
|
$sc2 ="5odG1sIS" ascii
|
|
$sc3 ="uaHRtbCEi" ascii
|
|
condition:
|
|
filesize < 400KB
|
|
and 1 of ($sa*)
|
|
and 1 of ($sb*)
|
|
and 1 of ($sc*)
|
|
}
|
|
|
|
rule SUSP_Msdt_Artefact_Jun22_2 {
|
|
meta:
|
|
description = "Detects suspicious pattern in msdt diagnostics log (e.g. CVE-2022-30190 / Follina exploitation)"
|
|
author = "Christian Burkard"
|
|
date = "2022-06-01"
|
|
modified = "2022-07-29"
|
|
reference = "https://twitter.com/nas_bench/status/1531718490494844928"
|
|
score = 75
|
|
id = "aa2a4bd7-2094-5652-a088-f58d0c7d3f62"
|
|
strings:
|
|
$a1 = "<ScriptError><Data id=\"ScriptName\" name=\"Script\">TS_ProgramCompatibilityWizard.ps1" ascii
|
|
|
|
$x1 = "/../../" ascii
|
|
$x2 = "$(Invoke-Expression" ascii
|
|
$x3 = "$(IEX(" ascii nocase
|
|
condition:
|
|
uint32(0) == 0x6D783F3C /* <?xm */
|
|
and $a1
|
|
and 1 of ($x*)
|
|
}
|
|
|
|
rule SUSP_LNK_Follina_Jun22 {
|
|
meta:
|
|
description = "Detects LNK files with suspicious Follina/CVE-2022-30190 strings"
|
|
author = "Paul Hager"
|
|
date = "2022-06-02"
|
|
reference = "https://twitter.com/gossithedog/status/1531650897905950727"
|
|
score = 75
|
|
id = "d331d584-2ab3-5275-b435-6129c7291417"
|
|
strings:
|
|
$sa1 = "msdt.exe" ascii wide
|
|
$sa2 = "msdt " ascii wide
|
|
$sa3 = "ms-msdt:" ascii wide
|
|
|
|
$sb = "IT_BrowseForFile=" ascii wide
|
|
condition:
|
|
filesize < 5KB and
|
|
uint16(0) == 0x004c and uint32(4) == 0x00021401 and
|
|
1 of ($sa*) and $sb
|
|
}
|