{"id":2772,"date":"2018-01-22T20:58:18","date_gmt":"2018-01-22T19:58:18","guid":{"rendered":"http:\/\/nextron.bsk-consulting.de\/?p=2772"},"modified":"2022-10-04T18:10:22","modified_gmt":"2022-10-04T16:10:22","slug":"write-yara-rules-detect-embedded-exe-files-ole-objects","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/","title":{"rendered":"Write YARA Rules to Detect Embedded EXE Files in OLE Objects"},"content":{"rendered":"

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.16″ global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on” da_disable_devices=”off|off|off”][et_pb_row admin_label=”row” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.18.0″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]This is the first blog post published on our new website. If you followed my blog on www.bsk-consulting.de<\/a> you should consider subscribing to the RSS feed<\/a> of this blog or the “Nextron Systems Newsletter”.<\/p>\n

This is one of the YARA related blog posts showcasing a special use case. Last year I noticed that I wrote many rules for hex encoded strings found in OLE objects embedded in MS Office documents and RTF files.<\/p>\n

\"\"<\/p>\n

I did most of the encoding and decoding work on the command line or with the help of CyberChef<\/a>, an online tool provided by GCHQ. I also thought about a new YARA keyword <\/a>that would allow us to write rules without encoding the strings.<\/p>\n

Today, rules contain strings in a hex encoded form. I usually add the decoded string as a comment.<\/p>\n

\n$s1 = \"68007400740070003a002f002f00\" \/* http:\/\/ *\/\n<\/pre>\n
Rules with the new keyword would look like this:<\/p>\n
\n$s1 = \"http:\/\/\" wide hex\n<\/pre>\n
Neat, isn’t it? I already forwarded that feature request to Wesley Shields (@wxs<\/a>) but it seems to be no low hanging fruit. I’ll keep you informed about this feature via Twitter.<\/p>\n
A tweet<\/a> by Kevin Beaumont reminded me of the work that I’ve done and while looking at the tool<\/a> by Rich Warren. I thought that I should create a illustrative example of a more generic YARA rule that explains why the “hex” keyword would be very useful.<\/p>\n
\"\"<\/p>\n
The tool creates weaponized RTF files with hex encoded payloads<\/a>.<\/p>\n
\"\"<\/p>\n
I derived some strings for a new rule from the decoded object.<\/p>\n
\n\/* Hex encoded strings *\/\n\/* This program cannot be run in DOS mode *\/\n$a1 = \"546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465\" ascii\n\/* C:fakepath *\/\n$a2 = \"433a5c66616b65706174685c\" ascii\n<\/pre>\n
To further improve the rule I went to my goodware directory and ran the following command to generate a list of the most frequent PE file headers in a hex encoded form.<\/p>\n
\nneo$ find .\/ -type f -name \"*.exe\" -exec xxd -ps -l 14 {} ; | sort | uniq -c | sort -k 1 | tail -10\n4 4d5a87000300000020000000ffff\n4 4d5aae010300000020000000ffff\n4 4d5abf000300000020000000ffff\n4 4d5add000300000020000000ffff\n4 4d5aeb000300000020000000ffff\n6 213c73796d6c696e6b3e2f757372\n8 4d5a72010200000020001700ffff\n88 4d5a40000100000006000000ffff\n116 4d5a50000200000004000f00ffff\n5852 4d5a90000300000004000000ffff\n<\/pre>\n
Then I used these hex encoded strings in a YARA rule that looks for these strings in the OLE objects of an RTF file. <\/p>\n
\nrule MAL_RTF_Embedded_OLE_PE {\n   meta:\n      description = \"Detects a suspicious string often used in PE files in a hex encoded object stream\"\n      author = \"Florian Roth\"\n      reference = \"https:\/\/github.com\/rxwx\/CVE-2018-0802\/blob\/master\/packager_exec_CVE-2018-0802.py\"\n      date = \"2018-01-22\"\n   strings:\n      \/* Hex encoded strings *\/\n      \/* This program cannot be run in DOS mode *\/\n      $a1 = \"546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465\" ascii\n      \/* KERNEL32.dll *\/\n      $a2 = \"4b45524e454c33322e646c6c\" ascii\n      \/* C:fakepath *\/\n      $a3 = \"433a5c66616b65706174685c\" ascii\n      \/* DOS Magic Header *\/\n      $m3 = \"4d5a40000100000006000000ffff\"\n      $m2 = \"4d5a50000200000004000f00ffff\"\n      $m1 = \"4d5a90000300000004000000ffff\"\n   condition:\n      uint32be(0) == 0x7B5C7274 \/* RTF *\/\n      and 1 of them\n}\n<\/pre>\n
The first analysis of the coverage looks pretty good. I see only clear matches in munin<\/a>‘s output.<\/p>\n
\"\"<\/p>\n
The few questionable matches<\/a> look fishy enough to release my rule. <\/p>\n
\"\"<\/p>\n
\"\"<\/p>\n
If you have further ideas to improve the rule, ping me via Twitter<\/a>.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
This is the first blog post published on our new website. If you followed my blog on www.bsk-consulting.de you should consider subscribing to the RSS feed of this blog or the “Nextron Systems Newsletter”. This is one of the YARA related blog posts showcasing a special use case. Last year I noticed that I wrote many rules for hex encoded strings found in OLE objects embedded in MS Office documents and RTF files. I did most of the encoding and decoding work on the command line or with the help of CyberChef, an online tool provided by GCHQ. I also thought about a new YARA keyword that would allow us to write rules without encoding the strings. Today, rules contain strings in a hex encoded form. I usually add the decoded string as a comment. $s1 = “68007400740070003a002f002f00” \/* http:\/\/ *\/ Rules with the new keyword would look like this: $s1 = “http:\/\/” wide hex Neat, isn’t it? I already forwarded that feature request to Wesley Shields (@wxs) but it seems to be no low hanging fruit. I’ll keep you informed about this feature via Twitter. A tweet by Kevin Beaumont reminded me of the work that I’ve done and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"This is the first blog post published on our new website. If you followed my blog on www.bsk-consulting.de<\/a> you should consider subscribing to the RSS feed<\/a> of this blog or the \"Nextron Systems Newsletter\".\r\n\r\nThis is one of the YARA related blog posts showcasing a special use case. Last year I noticed that I wrote many rules for hex encoded strings found in OLE objects embedded in MS Office documents and RTF files.\r\n\r\n\"\"<\/a>\r\n\r\nI did most of the encoding and decoding work on the command line or with the help of CyberChef<\/a>, an online tool provided by GCHQ. I also thought about a new YARA keyword <\/a>that would allow us to write rules without encoding the strings.\r\n\r\nToday, rules contain strings in a hex encoded form. I usually add the decoded string as a comment.\r\n\r\n[cc lang=\"javascript\"]\r\n$s1 = \"68007400740070003a002f002f00\" \/* http:\/\/ *\/\r\n[\/cc]\r\n\r\nRules with the new keyword would look like this:\r\n\r\n[cc lang=\"javascript\"]\r\n$s1 = \"http:\/\/\" wide hex\r\n[\/cc]\r\n\r\nNeat, isn't it? I already forwarded that feature request to Wesley Shields (@wxs<\/a>) but it seems to be no low hanging fruit. I'll keep you informed about this feature via Twitter.\r\n\r\nA tweet<\/a> by Kevin Beaumont reminded me of the work that I've done and while looking at the tool<\/a> by Rich Warren. I thought that I should create a illustrative example of a more generic YARA rule that explains why the \"hex\" keyword would be very useful.\r\n\r\n\"\"<\/a>\r\n\r\nThe tool creates weaponized RTF files with hex encoded payloads<\/a>.\r\n\r\n\"\"<\/a>\r\n\r\nI derived some strings for a new rule from the decoded object.\r\n\r\n[cc lang=\"javascript\"]\r\n\/* Hex encoded strings *\/\r\n\/* This program cannot be run in DOS mode *\/\r\n$a1 = \"546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465\" ascii\r\n\/* C:fakepath *\/\r\n$a2 = \"433a5c66616b65706174685c\" ascii\r\n[\/cc]\r\n\r\nTo further improve the rule I went to my goodware directory and ran the following command to generate a list of the most frequent PE file headers in a hex encoded form.\r\n\r\n[cc lang=\"bash\"]\r\nneo$ find .\/ -type f -name \"*.exe\" -exec xxd -ps -l 14 {} ; | sort | uniq -c | sort -k 1 | tail -10\r\n4 4d5a87000300000020000000ffff\r\n4 4d5aae010300000020000000ffff\r\n4 4d5abf000300000020000000ffff\r\n4 4d5add000300000020000000ffff\r\n4 4d5aeb000300000020000000ffff\r\n6 213c73796d6c696e6b3e2f757372\r\n8 4d5a72010200000020001700ffff\r\n88 4d5a40000100000006000000ffff\r\n116 4d5a50000200000004000f00ffff\r\n5852 4d5a90000300000004000000ffff\r\n[\/cc]\r\n\r\nThen I used these hex encoded strings in a YARA rule that looks for these strings in the OLE objects of an RTF file. \r\n\r\n[cc lang=\"javascript\"]\r\nrule MAL_RTF_Embedded_OLE_PE {\r\n   meta:\r\n      description = \"Detects a suspicious string often used in PE files in a hex encoded object stream\"\r\n      author = \"Florian Roth\"\r\n      reference = \"https:\/\/github.com\/rxwx\/CVE-2018-0802\/blob\/master\/packager_exec_CVE-2018-0802.py\"\r\n      date = \"2018-01-22\"\r\n   strings:\r\n      \/* Hex encoded strings *\/\r\n      \/* This program cannot be run in DOS mode *\/\r\n      $a1 = \"546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465\" ascii\r\n      \/* KERNEL32.dll *\/\r\n      $a2 = \"4b45524e454c33322e646c6c\" ascii\r\n      \/* C:fakepath *\/\r\n      $a3 = \"433a5c66616b65706174685c\" ascii\r\n      \/* DOS Magic Header *\/\r\n      $m3 = \"4d5a40000100000006000000ffff\"\r\n      $m2 = \"4d5a50000200000004000f00ffff\"\r\n      $m1 = \"4d5a90000300000004000000ffff\"\r\n   condition:\r\n      uint32be(0) == 0x7B5C7274 \/* RTF *\/\r\n      and 1 of them\r\n}\r\n[\/cc]\r\n\r\nThe first analysis of the coverage looks pretty good. I see only clear matches in munin<\/a>'s output.\r\n\r\n\"\"<\/a>\r\n\r\nThe few questionable matches<\/a> look fishy enough to release my rule. \r\n\r\n\"\"<\/a>\r\n\r\n\"\"<\/a>\r\n\r\nIf you have further ideas to improve the rule, ping me via Twitter<\/a>.","_et_gb_content_width":"","footnotes":""},"categories":[34,33,32,47],"tags":[54,51,53,52,49,50,55,48],"class_list":["post-2772","post","type-post","status-publish","format-standard","hentry","category-loki","category-spark","category-thor","category-yara","tag-dropper","tag-exploit","tag-hex","tag-office","tag-ole","tag-rtf","tag-signature","tag-yara"],"yoast_head":"\nWrite YARA Rules to Detect Embedded EXE Files in OLE Objects - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Write YARA Rules to Detect Embedded EXE Files in OLE Objects\",\"datePublished\":\"2018-01-22T19:58:18+00:00\",\"dateModified\":\"2022-10-04T16:10:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/\"},\"wordCount\":485,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"Dropper\",\"Exploit\",\"Hex\",\"Office\",\"OLE\",\"RTF\",\"signature\",\"YARA\"],\"articleSection\":[\"LOKI\",\"SPARK\",\"THOR\",\"YARA\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/\",\"name\":\"Write YARA Rules to Detect Embedded EXE Files in OLE Objects - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2018-01-22T19:58:18+00:00\",\"dateModified\":\"2022-10-04T16:10:22+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Write YARA Rules to Detect Embedded EXE Files in OLE Objects - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Write YARA Rules to Detect Embedded EXE Files in OLE Objects","datePublished":"2018-01-22T19:58:18+00:00","dateModified":"2022-10-04T16:10:22+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/"},"wordCount":485,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["Dropper","Exploit","Hex","Office","OLE","RTF","signature","YARA"],"articleSection":["LOKI","SPARK","THOR","YARA"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/","url":"https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/","name":"Write YARA Rules to Detect Embedded EXE Files in OLE Objects - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2018-01-22T19:58:18+00:00","dateModified":"2022-10-04T16:10:22+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2018\/01\/22\/write-yara-rules-detect-embedded-exe-files-ole-objects\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/2772","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=2772"}],"version-history":[{"count":29,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/2772\/revisions"}],"predecessor-version":[{"id":14688,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/2772\/revisions\/14688"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=2772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=2772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=2772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}