identifies RTF's with potential shellcode

Hunt Hypothesis

RTF documents containing embedded shellcode may indicate an adversary attempting to execute malicious code within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation attempts and mitigate lateral movement risks.

YARA Rule

rule RTF_Shellcode : maldoc
{
    meta:

        author = "RSA-IR – Jared Greenhill"
        date = "01/21/13"
        description = "identifies RTF's with potential shellcode"
            filetype = "RTF"

    strings:
        $rtfmagic={7B 5C 72 74 66}
        /* $scregex=/[39 30]{2,20}/ */
        $scregex=/(90){2,20}/

    condition:

        ($rtfmagic at 0) and ($scregex)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A user is generating a legitimate RTF document using Microsoft Word with embedded OLE objects for formatting purposes.
  Filter/Exclusion: Exclude documents created by Microsoft Word (e.g., Word.Application or WINWORD.EXE) or use a filter based on the file’s creation tool or metadata.

• Scenario: A scheduled job runs a script that generates RTF files with embedded PowerShell scripts for automated reporting.
  Filter/Exclusion: Exclude files generated by known scheduled tasks or scripts (e.g., schtasks.exe or Task Scheduler), or filter based on the presence of known benign PowerShell cmdlets in the RTF content.

• Scenario: An administrator is using Microsoft Word Automation (e.g., through VBA or COM) to generate RTF files for internal documentation.
  Filter/Exclusion: Exclude files created by processes associated with Microsoft Office (e.g., WINWORD.EXE, EXCEL.EXE) or filter based on the user account (e.g., admin accounts with known legitimate activity).

• Scenario: A third-party tool like LibreOffice is used to generate RTF files with embedded OLE objects for compatibility with legacy systems.
  Filter/Exclusion: Exclude files created by LibreOffice or other OLE-compatible applications, or filter based on the file’s content type or metadata.

• Scenario: A system update or patch process generates temporary RTF files for logging or reporting purposes.
  Filter/Exclusion: Exclude files created by system processes (e.g., svchost.exe, wuauserv.exe) or filter based on the presence of temporary file naming patterns (e.g., temp_*.rtf).