-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathyara_rules.sample
128 lines (117 loc) · 2.26 KB
/
yara_rules.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
rule Utilprintf: decodedPDF
{
meta:
ref = "CVE-2008-2992"
hide = true
strings:
$cve20082992 = "util.printf" nocase fullword
condition:
1 of them
}
rule SpellcustomDictionaryOpen: decodedPDF
{
meta:
ref = "CVE-2009-1493"
hide = true
strings:
$cve20091493 = "spell.customDictionaryOpen" nocase fullword
condition:
1 of them
}
rule MSIEUseAfterFree: decodedOnly
{
meta:
ref = "CVE-2010-0249"
hide = true
impact = 5
strings:
$cve20100249_1 = "createEventObject" nocase fullword
$cve20100249_2 = "getElementById" nocase fullword
$cve20100249_3 = "onload" nocase fullword
$cve20100249_4 = "srcElement" nocase fullword
condition:
all of them
}
rule getAnnots: decodedPDF
{
meta:
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
strings:
$cve20091492 = "getAnnots" nocase fullword
condition:
1 of them
}
rule mediaNewplayer: decodedPDF
{
meta:
ref = "CVE-2009-4324"
hide = true
strings:
$cve20094324 = "media.newPlayer" nocase fullword
condition:
1 of them
}
rule collectEmailInfo: decodedPDF
{
meta:
ref = "CVE-2007-5659"
hide = true
strings:
$cve20075659 = "collab.collectEmailInfo" nocase fullword
condition:
1 of them
}
rule CollabgetIcon: decodedPDF
{
meta:
ref = "CVE-2009-0927"
hide = true
strings:
$cve20090927 = "collab.getIcon" nocase fullword
condition:
1 of them
}
rule PDFobfuscation: decodedPDF
{
meta:
impact = 5
strings:
$cveNOMATCH = "collab[" nocase //hidden collab string
condition:
1 of them
}
rule UnconfirmedPDFexploit: decodedPDF
{
meta:
impact = 0
//unconfirmed exploitation
strings:
$cve20084813 = "getCosObj" nocase fullword
$cve20082042 = "app.checkForUpdate" nocase fullword
$cve20080726 = "printSepsWithParams" nocase fullword
$cve20073902 = "setExpression" nocase fullword
$cve20090773 = "ResizeSlots" nocase fullword
condition:
1 of them
}
rule DecodedGenericCLSID : decodedOnly
{
meta:
impact = 0
strings:
$gen = /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/ nocase
condition:
1 of them
}
rule MSOfficeSnapshotViewer
{
meta:
ref = "CVE-2008-2463"
impact = 7
strings:
$cve20082463 = /(F0E42D50|F0E42D60|F2175210)-368C-11D0-AD81-00A0C90DC8D9/ nocase
condition:
1 of them
}