Permalink
Switch branches/tags
Nothing to show
Find file Copy path
24c0ab3 Feb 8, 2018
1 contributor

Users who have contributed to this file

20 lines (15 sloc) 536 Bytes
/*
Detect Microsoft Office documents with embedded Adobe Flash files. Following the conversation at:
http://blog.inquest.net/blog/2018/02/07/cve-2018-4878-adobe-flash-0day-itw
https://twitter.com/i/moments/960633253165191170
InQuest customers can detect related events on their network by searching for:
event ID 3000032
*/
rule Microsoft_Office_Document_with_Embedded_Flash_File
{
strings:
$a = { 6e db 7c d2 6d ae cf 11 96 b8 44 45 53 54 00 00 }
$b = { 57 53 }
condition:
$a and $b
}