15 lines
639 B
Plaintext
15 lines
639 B
Plaintext
|
|
rule Exploit_Win64_CVE-2016-0040_A{
|
|
meta:
|
|
description = "Exploit:Win64/CVE-2016-0040.A,SIGNATURE_TYPE_PEHSTR,05 00 05 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {5c 5c 2e 5c 57 4d 49 44 61 74 61 44 65 76 69 63 65 } //1 \\.\WMIDataDevice
|
|
$a_01_1 = {41 b9 b8 00 00 00 ba 44 81 22 00 48 8b ce c7 44 24 28 e8 03 00 00 48 89 44 24 20 ff 15 0e 0d 00 00 } //1
|
|
$a_01_2 = {ba 00 04 00 00 33 c9 ff 15 be 0e 00 00 } //1
|
|
$a_01_3 = {89 6c 24 60 c7 44 24 64 02 00 00 00 ff 15 3b 0d 00 00 } //1
|
|
$a_01_4 = {49 73 4d 65 6e 75 } //1 IsMenu
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=5
|
|
|
|
} |