(YARA) YARA_Detect_ShortcutHiding

Created the . Updated 1 year, 4 months ago.

            rule YARA_Detect_ShortcutHiding
{
    meta:
        author = "Unprotect"
        status = "Experimental"
        description = "YARA rule for detecting Windows shortcuts with embedded malicious code"
    strings:
        $payload_start = "&(for %i in (*.lnk) do certutil -decode %i"
        $payload_end = "&start"
        $encoded_content = "BEGIN CERTIFICATE"
    condition:
        all of them
}

Download Raw

Associated Techniques

Technique Name	Technique ID's	Has Snippet(s)
Shortcut Hiding	U0505