-
Notifications
You must be signed in to change notification settings - Fork 69
/
onenote.rules
23 lines (16 loc) · 3.72 KB
/
onenote.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# detect any OneNote .one file
alert http any any -> any any (msg:"[MS-ONESTORE] .one GUID"; flow:established,from_server; file_data; content:"|E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3|"; classtype:policy-violation; reference:url,blog.didierstevens.com; reference:url,github.com/Neo23x0/signature-base/blob/master/yara/gen_onenote_phish.yar; sid:1000001; rev:1;)
# detect any file containing FileDataStoreObject's GUID
alert http any any -> any any (msg:"[MS-ONESTORE] FileDataStoreObject"; flow:established,from_server; file_data; content:"|E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC|"; classtype:policy-violation; reference:url,blog.didierstevens.com; reference:url,github.com/Neo23x0/signature-base/blob/master/yara/gen_onenote_phish.yar; sid:1000002; rev:1;)
# detect any file containing FileDataStoreObject's GUID embedding MZ file (PE file)
alert http any any -> any any (msg:"[MS-ONESTORE] FileDataStoreObject MZ"; flow:established,from_server; file_data; content:"|E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC|"; content:"MZ"; distance:20; within:2; reference:url,blog.didierstevens.com; reference:url,github.com/Neo23x0/signature-base/blob/master/yara/gen_onenote_phish.yar; classtype:policy-violation; sid:1000003; rev:1;)
# detect any file containing FileDataStoreObject's GUID embedding BAT file (file that starts with @echo off)
alert http any any -> any any (msg:"[MS-ONESTORE] FileDataStoreObject @echo off"; flow:established,from_server; file_data; content:"|E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC|"; content:"@echo off"; nocase; distance:20; within:9; reference:url,blog.didierstevens.com; reference:url,github.com/Neo23x0/signature-base/blob/master/yara/gen_onenote_phish.yar; classtype:policy-violation; sid:1000004; rev:1;)
# detect any file containing FileDataStoreObject's GUID embedding VBS file (file that starts with on error)
alert http any any -> any any (msg:"[MS-ONESTORE] FileDataStoreObject on error"; flow:established,from_server; file_data; content:"|E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC|"; content:"on error"; nocase; distance:20; within:8; reference:url,blog.didierstevens.com; reference:url,github.com/Neo23x0/signature-base/blob/master/yara/gen_onenote_phish.yar; classtype:policy-violation; sid:1000005; rev:1;)
# detect any file containing FileDataStoreObject's GUID embedding LNK file
alert http any any -> any any (msg:"[MS-ONESTORE] FileDataStoreObject LNK"; flow:established,from_server; file_data; content:"|E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC|"; content:"L|00 00 00|"; distance:20; within:4; classtype:policy-violation; reference:url,blog.didierstevens.com; reference:url,github.com/Neo23x0/signature-base/blob/master/yara/gen_onenote_phish.yar; sid:1000006; rev:1;)
# detect any file containing FileDataStoreObject's GUID embedding HTA file
alert http any any -> any any (msg:"[MS-ONESTORE] FileDataStoreObject HTA"; flow:established,from_server; file_data; content:"|E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC|"; content:"<HTA:APPLICATION"; nocase; distance:20; classtype:policy-violation; reference:url,blog.didierstevens.com; reference:url,github.com/Neo23x0/signature-base/blob/master/yara/gen_onenote_phish.yar; sid:1000007; rev:1;)
# detect any file containing FileDataStoreObject's GUID embedding HTA file - byte_extract variant
alert http any any -> any any (msg:"[MS-ONESTORE] FileDataStoreObject HTA byte_extract"; flow:established,from_server; file_data; content:"|E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC|"; byte_extract:8,0,size,relative,little; content:"<HTA:APPLICATION"; nocase; distance:20; within:size; classtype:policy-violation; reference:url,blog.didierstevens.com; reference:url,github.com/Neo23x0/signature-base/blob/master/yara/gen_onenote_phish.yar; sid:1000008; rev:1;)