Skip to content

Instantly share code, notes, and snippets.

@edeca

edeca/mstscax_ole.yar

Last active January 6, 2023 02:14
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save edeca/d567eddc07c021dd54d499680decdbc4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save edeca/d567eddc07c021dd54d499680decdbc4 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. edeca revised this gist Feb 3, 2020. 1 changed file with 17 additions and 5 deletions.
    22 changes: 17 additions & 5 deletions mstscax_ole.yar
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,7 @@
    rule terminal_services_scripting {
    meta:
    author = "David Cannings"
    description = "Microsoft Terminal Srvices Client Control (not safe for scripting)"
    description = "Microsoft Terminal Services Client Control (not safe for scripting)"
    ref = "https://twitter.com/joe4security/status/1221765460502421504?s=20%E2%80%9D"
    generated_by = "yaml2yara, see https://github.com/nccgroup/yaml2yara/"

    @@ -28,34 +28,46 @@ rule terminal_services_scripting {
    $embedded_comp_obj = "Comp Obj" wide
    $embedded_obj_info = "Obj Info" wide
    $embedded_ole10 = "Ole10Native" wide
    $data0 = "1DF7C823-B2D4-4B54-975A-F2AC5D7CF8B8" nocase wide ascii
    $data0 = "1DF7C823-B2D4-4B54-975A-F2AC5D7CF8B8" nocase wide ascii
    $data1 = { 23C8F71DD4B2544B975AF2AC5D7CF8B8 }
    $data2 = "3523c2fb-4031-44e4-9a3b-f1e94986ee7f" nocase wide ascii
    $data3 = { fbc223353140e4449a3bf1e94986ee7f }
    $data4 = "4eb2f086-c818-447e-b32c-c51ce2b30d31" nocase wide ascii
    $data5 = { 86f0b24e18c87e44b32cc51ce2b30d31 }
    $data6 = "54d38bf7-b1ef-4479-9674-1bd6ea465258" nocase wide ascii
    $data7 = { f78bd354efb1794496741bd6ea465258 }
    $data8 = "6AE29350-321B-42be-BBE5-12FB5270C0DE" nocase wide ascii
    $data9 = { 5093E26A1B32be42BBE512FB5270C0DE }
    $data10 = "7cacbd7b-0d99-468f-ac33-22e495c0afe5" nocase wide ascii
    $data11 = { 7bbdac7c990d8f46ac3322e495c0afe5 }
    $data12 = "8B918B82-7985-4C24-89DF-C33AD2BBFBCD" nocase wide ascii
    $data13 = { 828B918B8579244C89DFC33AD2BBFBCD }
    $data14 = "A0C63C30-F08D-4AB4-907C-34905D770C7D" nocase wide ascii
    $data15 = { 303CC6A08DF0B44A907C34905D770C7D }
    $data16 = "A3BC03A0-041D-42E3-AD22-882B7865C9C5" nocase wide ascii
    $data17 = { A003BCA31D04E342AD22882B7865C9C5 }
    $data18 = "ace575fd-1fcf-4074-9401-ebab990fa9de" nocase wide ascii
    $data19 = { fd75e5accf1f74409401ebab990fa9de }
    $data20 = "d2ea46a7-c2bf-426b-af24-e19c44456399" nocase wide ascii
    $data21 = { a746ead2bfc26b42af24e19c44456399 }
    $data22 = "MsTscAx.MsTscAx" nocase wide ascii
    $data23 = "b'4d7354736341782e4d735473634178'" nocase wide ascii
    $data22 = "MsTscAx.MsTscAx" nocase wide ascii
    $data23 = "4d7354736341782e4d735473634178" nocase wide ascii
    condition:
    // Mandatory header plus sign of embedding, then any of the others
    for any of ($header*) : ( @ == 0 ) and 1 of ($embedded*)
    and (1 of ($data*))
    }
  2. edeca created this gist Jan 29, 2020.
    61 changes: 61 additions & 0 deletions mstscax_ole.yar
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,61 @@
    rule terminal_services_scripting {
    meta:
    author = "David Cannings"
    description = "Microsoft Terminal Srvices Client Control (not safe for scripting)"
    ref = "https://twitter.com/joe4security/status/1221765460502421504?s=20%E2%80%9D"
    generated_by = "yaml2yara, see https://github.com/nccgroup/yaml2yara/"

    strings:
    // Parsers will open files without the full 'rtf'
    $header_rtf = "{\\rt" nocase
    $header_office = { D0 CF 11 E0 }
    $header_xml = "<?xml version=" nocase wide ascii
    // Marks of embedded data (reduce FPs)
    // RTF format
    $embedded_object = "\\object" nocase
    $embedded_objdata = "\\objdata" nocase
    $embedded_ocx = "\\objocx" nocase
    $embedded_objclass = "\\objclass" nocase
    $embedded_oleclass = "\\oleclsid" nocase
    // XML Office documents
    $embedded_axocx = "<ax:ocx" nocase wide ascii
    $embedded_axclassid = "ax:classid" nocase wide ascii
    // OLE format
    $embedded_root_entry = "Root Entry" wide
    $embedded_comp_obj = "Comp Obj" wide
    $embedded_obj_info = "Obj Info" wide
    $embedded_ole10 = "Ole10Native" wide
    $data0 = "1DF7C823-B2D4-4B54-975A-F2AC5D7CF8B8" nocase wide ascii
    $data1 = { 23C8F71DD4B2544B975AF2AC5D7CF8B8 }
    $data2 = "3523c2fb-4031-44e4-9a3b-f1e94986ee7f" nocase wide ascii
    $data3 = { fbc223353140e4449a3bf1e94986ee7f }
    $data4 = "4eb2f086-c818-447e-b32c-c51ce2b30d31" nocase wide ascii
    $data5 = { 86f0b24e18c87e44b32cc51ce2b30d31 }
    $data6 = "54d38bf7-b1ef-4479-9674-1bd6ea465258" nocase wide ascii
    $data7 = { f78bd354efb1794496741bd6ea465258 }
    $data8 = "6AE29350-321B-42be-BBE5-12FB5270C0DE" nocase wide ascii
    $data9 = { 5093E26A1B32be42BBE512FB5270C0DE }
    $data10 = "7cacbd7b-0d99-468f-ac33-22e495c0afe5" nocase wide ascii
    $data11 = { 7bbdac7c990d8f46ac3322e495c0afe5 }
    $data12 = "8B918B82-7985-4C24-89DF-C33AD2BBFBCD" nocase wide ascii
    $data13 = { 828B918B8579244C89DFC33AD2BBFBCD }
    $data14 = "A0C63C30-F08D-4AB4-907C-34905D770C7D" nocase wide ascii
    $data15 = { 303CC6A08DF0B44A907C34905D770C7D }
    $data16 = "A3BC03A0-041D-42E3-AD22-882B7865C9C5" nocase wide ascii
    $data17 = { A003BCA31D04E342AD22882B7865C9C5 }
    $data18 = "ace575fd-1fcf-4074-9401-ebab990fa9de" nocase wide ascii
    $data19 = { fd75e5accf1f74409401ebab990fa9de }
    $data20 = "d2ea46a7-c2bf-426b-af24-e19c44456399" nocase wide ascii
    $data21 = { a746ead2bfc26b42af24e19c44456399 }
    $data22 = "MsTscAx.MsTscAx" nocase wide ascii
    $data23 = "b'4d7354736341782e4d735473634178'" nocase wide ascii
    condition:
    // Mandatory header plus sign of embedding, then any of the others
    for any of ($header*) : ( @ == 0 ) and 1 of ($embedded*)
    and (1 of ($data*))
    }