(YARA) YARA_Detect_ShortcutHiding

Created the . Updated 1 year, 10 months ago.

            rule YARA_Detect_ShortcutHiding
{
    meta:
        author = "Unprotect"
        status = "Experimental"
        description = "YARA rule for detecting Windows shortcuts with embedded malicious code"
    strings:
        $payload_start = "&(for %i in (*.lnk) do certutil -decode %i"
        $payload_end = "&start"
        $encoded_content = "BEGIN CERTIFICATE"
    condition:
        all of them
}
        

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Shortcut Hiding U0505