-
Notifications
You must be signed in to change notification settings - Fork 20
/
SUSP_LNK_Contains_PE.yar
49 lines (47 loc) · 1.69 KB
/
SUSP_LNK_Contains_PE.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
rule SUSP_LNK_Contains_PE_DOS_Stub
{
meta:
author = "Greg Lesnewich"
description = "detect LNKs that contain an MS-DOS stub indicating there is likely an embedded PE file"
reference = "https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/"
date = "2024-02-03"
version = "1.0"
DaysOfYara = "34/100"
strings:
$ = "!This program cannot be run in DOS mode" nocase ascii wide
condition:
uint32be(0x0) == 0x4c000000 and
1 of them
}
rule SUSP_LNK_Contains_PE_DOS_Stub_b64
{
meta:
author = "Greg Lesnewich"
description = "detect LNKs that contain an MS-DOS stub indicating there is likely an embedded PE file"
reference = "https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/"
date = "2024-02-03"
version = "1.0"
DaysOfYara = "34/100"
strings:
$ = "!This program cannot be run in DOS mode" base64 base64wide
$ = "!This Program Cannot be Run in DOS Mode" base64 base64wide
condition:
uint32be(0x0) == 0x4c000000 and
1 of them
}
rule SUSP_LNK_Contains_PE_DOS_Stub_xor
{
meta:
author = "Greg Lesnewich"
description = "detect LNKs that contain an MS-DOS stub indicating there is likely an embedded PE file"
reference = "https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/"
date = "2024-02-03"
version = "1.0"
DaysOfYara = "34/100"
strings:
$ = "!This program cannot be run in DOS mode" xor(0x01-0xff) ascii wide
$ = "!This Program Cannot be Run in DOS Mode" xor(0x01-0xff) ascii wide
condition:
uint32be(0x0) == 0x4c000000 and
1 of them
}