yara-rules icon indicating copy to clipboard operation
yara-rules copied to clipboard

Published 20 hours ago verified publisher icon InQuest

Updated Yara

Open staaldraad opened this issue 7 years ago • 1 comments

Hi!

Great work with this :+1:

I've found that the current Yara rule can easily be bypassed as it misses an optional property that can easily be added to the w:fldChar element. I wrote about it here: staaldraad.github.io

The following should be modified: https://github.com/InQuest/yara-rules/blob/ffc44ae528c580427262aab6f95f42609aa4f3d6/Microsoft_Office_DDE_Command_Execution.rule#L53

I think this should work:

<w:fldChar\s+?w:fldCharType="begin"\s+?(w:dirty="(true|false)")?\s+?\/>.+?\b[Dd][Dd][Ee]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>

The real main thing is to check for the optional w:dirty="true" attribute.

I've also added another way that DDE can be embedded, with the fldSimple element (also in the blog). I don't think any Yara rules currently exist for this. My regex is bad and I've got no Yara experience but I think this should be ok:

/w:fldSimple\s*w:instr="\s*([Dd][Dd][Ee])/

Thanks for the hard work!

staaldraad avatar Oct 23 '17 15:10 staaldraad

@staaldraad apologies for the insanely long delay in responding to you, totally slipped by me. Thanks for your kind words and detailed description. Would you make a PR so that the credit for the commit goes to you?

pedramamini avatar May 09 '18 22:05 pedramamini