Xavier mentioned a YARA rule for the detection of DDE code injection in CSV files. A simple YARA rule to achieve this would look like this: rule csv_dde { strings: $a = "=cmd|" condition: $a } This rule triggers on any file that contains the ASCII string "=cmd|". This rule is case-sensitive. It will only match lowercase string cmd, and not CMD for example. Although =CMD| can also be used for DDE command injection. A revised rule to handle this case uses the nocase string modifier: rule csv_dde { strings: $a = "=cmd|" nocase condition: $a } Whitespace characters are allowed between = and cmd. A revised rule to handle this case uses a regular expression: rule csv_dde { strings: $a = /=\s*cmd\|/ nocase condition: $a } \s is the escape sequence for a whitespace character, and * is a quantifier that specifies how many whitespace characters are allowed: from none (0) to unlimited. Since the pipe character | has special meaning in regular expressions (alternation), it needs to be escaped: \|. This YARA rule will match any file that contains this sequence, but this sequence will not lead to DDE command injection in all cases: it has to appear at the beginning of the file, the beginning of a line (after a newline), or the beginning of a cell (after a comma separator). Thus the revised rule becomes: rule csv_dde { strings: $a = /(^|\n|,)=\s*cmd\|/ nocase condition: $a } Unfortunately, CSV files have no magic header, we can not specify a condition like "MZ" at 0 like we do for PE files. Thus we still risk to match many files that are actually not CSV files. That is the problem with a file format like CSV: because of the lack of a header, it can be difficult to write a program/rule to match CSV files. We can add some additional conditions, like looking for a small file size (condition: "$a and filesize < 10000" for example) and/or a low entropy (condition: "$a and math.entropy(0, filesize) < 5.0" for example). Remark that I did not let performance considerations guide the development of this YARA rule. If you have ideas how to further improve this rule, please post a comment. Didier Stevens |
DidierStevens 533 Posts ISC Handler Oct 2nd 2018 |
Thread locked Subscribe |
Oct 2nd 2018 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!