(YARA) YARA_Check_installed_software

Created the . Updated 9 months, 1 week ago.

            import "pe"

rule check_installed_software {
    meta:
        description = "Detect check installed software through registry"
        author = "Thomas Roccia | @fr0gger_"
    strings:
        $s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" wide

    condition:
       uint16(0) == 0x5A4D and $s1 or
       pe.imports("Advapi32.dll", "RegQueryValueEx")
}

Download Raw

Associated Techniques

No associated technique found so far.