Corrected a mistake in the suspicious strings Yara rule.

Added the latest Visual Studio RICH IDs.
JusticeRage · Oct 11, 2018 · 3ae91b4 · 3ae91b4
1 parent 7a5d980
commit 3ae91b4
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/bin/yara_rules/suspicious_strings.yara b/bin/yara_rules/suspicious_strings.yara
@@ -42,6 +42,8 @@ rule System_Tools
         $a18 = "regsvr32.exe" nocase wide ascii
         $a19 = "rundll32.exe" nocase wide ascii
         $a20 = /schtask(.exe)?/ nocase wide ascii
+		$a21 = "wbadmin.exe" nocase wide ascii
+		$a22 = "wevutil.exe" nocase wide ascii
 		
     condition:
         any of them
@@ -753,7 +755,7 @@ rule WMI_strings
         author = "Ivan Kwiatkowski (@JusticeRage)"
     strings:
         // WMI namespaces which may be referenced in the ConnectServer call. All in the form of "ROOT\something"
-        $a0 = /ROOT\\(CIMV2|AccessLogging|ADFS|aspnet|Cli|Hardware|interop|InventoryLogging|Microsoft.{10}|Policy|RSOP|SECURITY|ServiceModel|snmpStandardCimv2|subscription|virtualization|WebAdministration|WMI)/ nocase ascii wide
+        $a0 = /ROOT\\(CIMV2|AccessLogging|ADFS|aspnet|Cli|Hardware|interop|InventoryLogging|Microsoft|Policy|RSOP|SECURITY|ServiceModel|snmp|StandardCimv2|subscription|virtualization|WebAdministration|WMI)/ nocase ascii wide
     condition:
         any of them
 }

diff --git a/manape/nt_values.cpp b/manape/nt_values.cpp
@@ -662,7 +662,7 @@ const flag_dict COMP_ID_PRODID =
                                 ("VS2017 v15.8.2 compiler 26727",              0x6867)
                                 ("VS2017 v15.8.3 compiler 26728",              0x6868)
                                 ("VS2017 v15.8.4 compiler 26729",              0x6869)
-                                ("VS2017 v15.8.4 compiler 26730",              0x686A)
+                                ("VS2017 v15.8.5-6 compiler 26730",            0x686A)
     ;
 
 // ----------------------------------------------------------------------------