ioc[.]one - OSINT Cyber Threat Intelligence Database

Show in Graph

Common Information

Type	Value
Value	rule M_Hunting_VPNEngine_RTF_Embedded_1 { meta: description = "Detects a suspicious string often used in PE files in a hex encoded object stream along with a VPN or proxy filename in the hex object." author = "Mandiant" md5 = "befec87a9742ba8e8f6e61e1133f55fb" strings: $pe = "546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465" $mz = /4d5a[a-zA-Z0-9]{19,21}ffff/ $vpn1 = /56504e[a-zA-Z0-9]{0,20}(2e657865\|2e646c6c)/ $vpn2 = /76706e[a-zA-Z0-9]{0,20}(2e657865\|2e646c6c)/ $vpn3 = /70726f7879[a-zA-Z0-9]{0,20}(2e657865\|2e646c6c)/ $vpn4 = /50726f7879[a-zA-Z0-9]{0,20}(2e657865\|2e646c6c)/ $vpn5 = /50524f5859[a-zA-Z0-9]{0,20}(2e657865\|2e646c6c)/ condition: filesize < 15MB and (uint16(0) == 0x5C7B) and ($pe or $mz) and (1 of ($vpn*)) }
Category
Type	Yara Rule
Misp Type
Description

Details		Published	Attributes	CTI		Title
Details	Website	2022-06-29	106			Burrowing your way into VPNs, Proxies, and Tunnels \| Mandiant