A collection of Yara rules we wish to share with the world. These rules should not be considered production appropriate. Rather, they are valuable for research and hunting purposes. The rules are listed here, alphabetically, along with references for further reading:
- CVE-2018-4878: Adobe Flash MediaPlayer DRM user-after-free Vulnerability
- Blog: Adobe Flash MediaPlayer DRM Use-after-free Vulnerability
- Follow highlights of the conversation on Twitter from this "moment" we maintain.
- Embedded PE Files
- Discover embedded PE files, without relying on easily stripped/modified header strings.
- Hidden Bee Custom Windows Executable Format
- Hunting Suspicious IQY Files
- This signature detects Adobe PDF files that reference a remote UNC object for the purpose of leaking NTLM hashes. New methods for NTLM hash leaks are discovered from time to time. This particular one is triggered upon opening of a malicious crafted PDF. Original write-up from CheckPoint.
- This signature is designed to detect the obfuscation method described by Boris Larin here Disappearing bytes: Reverse engineering the MS Office RTF parser. This obfuscation method is rarely seen but was used in the distribution of CVE-2018-8174 0day discovered in-the-wild.
- We'll continue to earmark interesting tidbits around the subject matter in this Twitter Moment.