Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-Neo23x0/expl_cve_2021_40444.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK 
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

98 lines
3.9 KiB
Text
Raw Blame History

/*
Modified rule of Jeremy Brown
see my video: https://www.youtube.com/watch?v=53gpfmKFxr4
*/
rule EXPL_CVE_2021_40444_Document_Rels_XML {
meta:
description = "Detects indicators found in weaponized documents that exploit CVE-2021-40444"
author = "Jeremy Brown / @alteredbytes"
reference = "https://twitter.com/AlteredBytes/status/1435811407249952772"
date = "2021-09-10"
id = "812bb68e-71ea-5a9a-8d39-ab99fdaa6c58"
strings:
$b1 = "/relationships/oleObject" ascii
$b2 = "/relationships/attachedTemplate" ascii
$c1 = "Target=\"mhtml:http" nocase
$c2 = "!x-usc:http" nocase
$c3 = "TargetMode=\"External\"" nocase
condition:
uint32(0) == 0x6D783F3C
and filesize < 10KB
and 1 of ($b*)
and all of ($c*)
}
rule EXPL_MAL_MalDoc_OBFUSCT_MHTML_Sep21_1 {
meta:
description = "Detects suspicious office reference files including an obfuscated MHTML reference exploiting CVE-2021-40444"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/decalage2/status/1438946225190014984?s=20"
date = "2021-09-18"
score = 90
hash = "84674acffba5101c8ac518019a9afe2a78a675ef3525a44dceddeed8a0092c69"
id = "781cfd61-d5ac-58e5-868f-dbd2a2df3500"
strings:
$h1 = "<?xml " ascii wide
$s1 = "109;&#104;&#116;&#109;&#108;&#58;&#104;&#116;&#109;&#108" ascii wide
condition:
filesize < 25KB and all of them
}
rule EXPL_XML_Encoded_CVE_2021_40444 {
meta:
author = "James E.C, Proofpoint"
description = "Detects possible CVE-2021-40444 with no encoding, HTML/XML entity (and hex notation) encoding, or all 3"
reference = "https://twitter.com/sudosev/status/1439205606129377282"
date = "2021-09-18"
modified = "2021-09-19"
score = 70
hash = "13DE9F39B1AD232E704B5E0B5051800FCD844E9F661185ACE8287A23E9B3868E" // document.xml
hash = "84674ACFFBA5101C8AC518019A9AFE2A78A675EF3525A44DCEDDEED8A0092C69" // original .docx
id = "4bf9ec64-c662-5c8f-9e58-12a7412ef07d"
strings:
$h1 = "<?xml " ascii wide
$t_xml_r = /Target[\s]{0,20}=[\s]{0,20}\["']([Mm]|&#(109|77|x6d|x4d);)([Hh]|&#(104|72|x68|x48);)([Tt]|&#(116|84|x74|x54);)([Mm]|&#(109|77|x6d|x4d);)([Ll]|&#(108|76|x6c|x4c);)(:|&#58;|&#x3a)/
$t_mode_r = /TargetMode[\s]{0,20}=[\s]{0,20}\["']([Ee]|&#(x45|x65|69|101);)([Xx]|&#(x58|x78|88|120);)([Tt]|&#(x74|x54|84|116);)/
condition:
filesize < 500KB and $h1 and all of ($t_*)
}
/* not directly related to CVE-2021-40444 */
rule SUSP_OBFUSC_Indiators_XML_OfficeDoc_Sep21_1 : Windows CVE {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects suspicious encodings in fields used in reference files found in weaponized MS Office documents"
reference = "https://twitter.com/sudosev/status/1439205606129377282"
date = "2021-09-18"
score = 65
hash = "13DE9F39B1AD232E704B5E0B5051800FCD844E9F661185ACE8287A23E9B3868E" // document.xml
hash = "84674ACFFBA5101C8AC518019A9AFE2A78A675EF3525A44DCEDDEED8A0092C69" // original .docx
id = "ffcaf270-f574-5692-90e5-6776c34eb71b"
strings:
$h1 = "<?xml " ascii wide
$xml_e = "Target=\"&#" ascii wide
$xml_mode_1 = "TargetMode=\"&#" ascii wide
condition:
filesize < 500KB and $h1 and 1 of ($xml*)
}
rule SUSP_OBFUSC_Indiators_XML_OfficeDoc_Sep21_2 : Windows CVE {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects suspicious encodings in fields used in reference files found in weaponized MS Office documents"
reference = "https://twitter.com/sudosev/status/1439205606129377282"
date = "2021-09-18"
score = 65
id = "c3c5ec4f-5d2a-523c-bd4b-b75c04bac87d"
strings:
$h1 = "<?xml " ascii wide
$a1 = "Target" ascii wide
$a2 = "TargetMode" ascii wide
$xml_e = "&#x0000" ascii wide
condition:
filesize < 500KB and all of them
}
Reference in a new issue View git blame Copy permalink