File tree Expand file tree Collapse file tree 3 files changed +31
-2
lines changed
third_party/yara/bartblaze Expand file tree Collapse file tree 3 files changed +31
-2
lines changed Original file line number Diff line number Diff line change @@ -11,7 +11,7 @@ rule RoyalRoad_RTF
1111 sharing = " TLP:CLEAR "
1212 source = " BARTBLAZE "
1313 author = " @bartblaze "
14- description = " Identifies RoyalRoad RTF, used by multiple China-based APT groups. "
14+ description = " Identifies RoyalRoad RTF, used by multiple China-nexus APT groups. "
1515 category = " MALWARE "
1616 malware = " ROYALROAD "
1717 malware_type = " EXPLOITKIT "
Original file line number Diff line number Diff line change 1- 9f699cd0b0949da4f4991547514dbeaf1c432114
1+ 12ad80662dba724a39f9ad8d5fad005a8be7ba54
Original file line number Diff line number Diff line change 1+ rule GrimResource
2+ {
3+ meta :
4+ id = " 6AllkuLIfG9lO9ZRaxm6Ni "
5+ fingerprint = " v1_sha256_9d266207dd5688a68a837d9d764aa7390183a8b551b0524e6d21f80a34afeb29 "
6+ version = " 1.0 "
7+ date = " 2025-12-15 "
8+ modified = " 2025-12-15 "
9+ status = " RELEASED "
10+ sharing = " TLP:CLEAR "
11+ source = " BARTBLAZE "
12+ author = " @bartblaze "
13+ description = " Identifies GrimResource and potential derivatives or variants. "
14+ category = " INFO "
15+ reference = " https://www.elastic.co/security-labs/grimresource "
16+
17+ strings :
18+ $ xml = " <?xml "
19+
20+ $ grim_a = " MMC_ConsoleFile "
21+ $ grim_b = " .loadXML( "
22+
23+ $ other_a = " ActiveXObject "
24+ $ other_b = " ms:script "
25+ $ other_c = " CDATA "
26+
27+ condition :
28+ $ xml at 0 and (all of ($ grim_ * or all of ($ other_ *
29+
You can’t perform that action at this time.
![octo-sts[bot]](https://avatars.githubusercontent.com/in/801323?v=4&size=40){kind=avatar}
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments