Skip to content

R
rules
Commit fb786a03 by Javier Rascón Mesa
Options

Fixed RTF_Shellcode regular expression

parent 8880b2d9
Showing with 5 additions and 6 deletions
Malicious_Documents/malicious_document.yar
...@@ -275,20 +275,19 @@ rule Embedded_EXE_Cloaking : maldoc { ...@@ -275,20 +275,19 @@ rule Embedded_EXE_Cloaking : maldoc {
// This rule have beed improved by Javier Rascon // This rule have beed improved by Javier Rascon
rule RTF_Shellcode : maldoc rule RTF_Shellcode : maldoc
{ {
meta: meta:
author = "RSA-IR – Jared Greenhill" author = "RSA-IR – Jared Greenhill"
date = "01/21/13" date = "01/21/13"
description = "identifies RTF's with potential shellcode" description = "identifies RTF's with potential shellcode"
filetype = "RTF" filetype = "RTF"
strings:
strings:
$rtfmagic={7B 5C 72 74 66} $rtfmagic={7B 5C 72 74 66}
/* $scregex=/[39 30]{2,20}/ */ /* $scregex=/[39 30]{2,20}/ */
$scregex=/(39 30){2,20}/ $scregex=/(90){2,20}/
condition:
condition:
($rtfmagic at 0) and ($scregex) ($rtfmagic at 0) and ($scregex)
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment