19 lines
713 B
Text
19 lines
713 B
Text
|
|
rule EXPL_Exploit_TLB_Scripts {
|
|
meta:
|
|
description = "Detects malicious TLB files which may be delivered via Visual Studio projects"
|
|
author = "Rich Warren (slightly modified by Florian Roth)"
|
|
reference = "https://github.com/outflanknl/Presentations/blob/master/Nullcon2020_COM-promise_-_Attacking_Windows_development_environments.pdf"
|
|
date = "2021-01-26"
|
|
id = "5151458e-4c30-50ff-a39e-e5b5b68b87aa"
|
|
strings:
|
|
$a = ".sct" ascii nocase
|
|
$b = "script:" ascii nocase
|
|
$c = "scriptlet:" ascii nocase
|
|
$d = "soap:" ascii nocase
|
|
$e = "winmgmts:" ascii nocase
|
|
condition:
|
|
uint32be(0) == 0x4D534654 and
|
|
filesize < 100KB and
|
|
any of them
|
|
}
|