Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/113119934599938202">Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 12-Sep-2024 01:47:43 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/113114347330112579" rel="in-reply-to">in reply to</a></div></section><article><p>More than one month after Elastic Security Labs publicly described "LNK Stomping" (now CVE-2024-38217) exploit variants, the "path segment" variant has still zero detections on VirusTotal.</p><p>I slapped together a naive YARA rule that seems to work well to detect this variant of CVE-2024-38217 exploits:<br><a href="https://gist.github.com/wdormann/7379c4c4fb0631d8ec6a5b12d50ba782" rel="nofollow noreferrer">https://gist.github.com/wdormann/7379c4c4fb0631d8ec6a5b12d50ba782</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3651109#notice-7154428">In conversation</a><time datetime="2024-09-12T01:47:43+09:00" title="Thursday, 12-Sep-2024 01:47:43 JST">about 2 months ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/113119934599938202" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/113119934599938202">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/3155222">Untitled attachment</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/119/929/808/599/881/original/a9b582c66ba7f09e.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/119/929/808/599/881/original/a9b582c66ba7f09e.png</a></li><li><article><header><div>Domain not in remote thumbnail source whitelist: github.githubassets.com</div><h5><a href="https://gist.github.com/wdormann/7379c4c4fb0631d8ec6a5b12d50ba782">YARA rule for detecting "path segment" variant of CVE-2024-38217 LNK stomping exploits</a></h5><div> from <span>wdormann</span></div></header><div>YARA rule for detecting "path segment" variant of CVE-2024-38217 LNK stomping exploits</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 12-Sep-2024 01:47:43 JST Will Dormann
in reply to
More than one month after Elastic Security Labs publicly described "LNK Stomping" (now CVE-2024-38217) exploit variants, the "path segment" variant has still zero detections on VirusTotal.
I slapped together a naive YARA rule that seems to work well to detect this variant of CVE-2024-38217 exploits:
https://gist.github.com/wdormann/7379c4c4fb0631d8ec6a5b12d50ba782
In conversationabout 2 months ago from infosec.exchangepermalink
Attachments
1. Untitled attachment
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/119/929/808/599/881/original/a9b582c66ba7f09e.png
2. Domain not in remote thumbnail source whitelist: github.githubassets.com
  YARA rule for detecting "path segment" variant of CVE-2024-38217 LNK stomping exploits
  from wdormann
  YARA rule for detecting "path segment" variant of CVE-2024-38217 LNK stomping exploits

Public

Embed Notice

HTML Code

Corresponding Notice