
(YARA) YARA_Detect_ShortcutHiding
Created the . Updated 9 months, 2 weeks ago.
rule YARA_Detect_ShortcutHiding
{
meta:
author = "Unprotect"
status = "Experimental"
description = "YARA rule for detecting Windows shortcuts with embedded malicious code"
strings:
$payload_start = "&(for %i in (*.lnk) do certutil -decode %i"
$payload_end = "&start"
$encoded_content = "BEGIN CERTIFICATE"
condition:
all of them
}
Associated Techniques
Technique Name | Technique ID's | Has Snippet(s) |
---|---|---|
Shortcut Hiding | U0505 |