(YARA) YARA_Detect_ShortcutHiding
rule YARA_Detect_ShortcutHiding
{
meta:
author = "Unprotect"
status = "Experimental"
description = "YARA rule for detecting Windows shortcuts with embedded malicious code"
strings:
$payload_start = "&(for %i in (*.lnk) do certutil -decode %i"
$payload_end = "&start"
$encoded_content = "BEGIN CERTIFICATE"
condition:
all of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Shortcut Hiding | U0505 |
Created
December 13, 2022
Last Revised
December 13, 2022