Canarytoken'ed Word .docx yara rule

README.md

Remember to unzip the .docx first, or use scan.sh.

Compile the yara rule for scan.sh to work yarac canarytoken.yar canarytoken

canarytoken.yar

rule canarytokendomain
{
  meta:
    description = "Canarytoken Domain"
    author = "@singe"

  strings:
    $a = /https??:\/\/canarytokens.com\//

  condition:
    $a
}

rule remoteimage_field
{
  meta:
    description = "Canarytokened Docx - Remote include via field"
    author = "@singe"

  strings:
    $a = /INCLUDEPICTURE +?"https??:\/\/.{1,200}?" +?\\d/
    $b = /INCLUDEPICTURE +?\\d +?"https??:\/\/.{1,200}?"/

  condition:
    any of them
}

rule remoteimage_rels
{
  meta:
    description = "Canarytokened Docx - remote include via relationship"
    author = "@singe"

  strings:
    $a = /<Relationship [^>]*?Type="[^"]*?\/image"[^>]*?Target="https??:\/\/[^"]*?"/

  condition:
    $a
}

scan.sh

#!/bin/bash

compiled_rule="canarytoken"

red="\033[31m"
green="\033[32m"
bold="\033[1;97m"
reset="\033[0m"

echo -e "$bold[+] Scanning: $@ $reset"

if [[ ! -f "$@" ]]; then
  echo -e "$bold[*] File not found, or not a file$reset"
  exit 2
fi

check_zip=$(xxd -l4 -ps "$@")
if [[ "$check_zip" != "504b0304" ]]; then
  echo -e "$bold[*] Not a ZIP file, is it a .docx?$reset"
  exit 2
fi

tmpdir=$(mktemp -d)
unzip "$@" -d $tmpdir >/dev/null && \
  out=$(yara -mDsLrC $compiled_rule $tmpdir)

if [[ "$out" == "" ]]; then
  echo -e "$green[-] Not tokened$reset"
  ret=0
else
  echo "$out"
  echo -e "$red[x] Canary token found$reset"
  ret=1
fi

rm -rf $tmpdir
exit $ret