15 lines
1.0 KiB
Plaintext
15 lines
1.0 KiB
Plaintext
|
|
rule Exploit_Win64_Sandsquarev_B{
|
|
meta:
|
|
description = "Exploit:Win64/Sandsquarev.B,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {5c 50 61 63 6b 61 67 65 73 5c 4d 69 63 72 6f 73 6f 66 74 2e 4d 69 63 72 6f 73 6f 66 74 45 64 67 65 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 } //\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe 1
|
|
$a_02_1 = {4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 45 00 64 00 67 00 65 00 5f 00 [0-20] 5f 00 6e 00 65 00 75 00 74 00 72 00 61 00 6c 00 5f 00 5f 00 38 00 77 00 65 00 6b 00 79 00 62 00 33 00 64 00 38 00 62 00 62 00 77 00 65 00 5c 00 } //1
|
|
$a_02_2 = {4d 69 63 72 6f 73 6f 66 74 45 64 67 65 5f [0-20] 5f 6e 65 75 74 72 61 6c 5f 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 5c } //1
|
|
$a_80_3 = {3a 5c 77 69 6e 64 6f 77 73 5c 77 69 6e 2e 69 6e 69 } //:\windows\win.ini 1
|
|
$a_80_4 = {5c 73 65 74 74 69 6e 67 73 5c 73 65 74 74 69 6e 67 73 2e 64 61 74 } //\settings\settings.dat 1
|
|
condition:
|
|
((#a_80_0 & 1)*1+(#a_02_1 & 1)*1+(#a_02_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1) >=3
|
|
|
|
} |