Permalink
Browse files

added detection for EPS obfuscation using xor

  • Loading branch information...
tylabs committed May 11, 2017
1 parent 45b4d63 commit c606e30e91e257ae714916de3da3f11bc5be0631
Showing with 23 additions and 0 deletions.
  1. +23 −0 quicksand_exploits.yara
View
@@ -799,3 +799,26 @@ rule warning_vb_fileio {
condition:
1 of them
}
rule warning_EPS_xor_exec {
meta:
is_exploit = false
is_warning = true
is_feature = true
rank = 5
revision = "1"
date = "May 11 2017"
author = "@tylabs"
release = "lite"
copyright = "QuickSand.io (c) Copyright 2017. All rights reserved."
tlp = "green"
sigtype = "cryptam_exploit"
desc = "EPS obfuscation using xor and exec"
strings:
$h1 = "%!PS-Adobe-" nocase
$s1 = "mod get xor put"
$s2 = "exec quit"
condition:
$h1 at 0 and all of ($s*)
}

0 comments on commit c606e30

Please sign in to comment.