signature-base/yara/gen_powershdll.yar

/*
   Yara Rule Set
   Author: Florian Roth
   Date: 2017-08-03
   Identifier: PowerShell Hacktools
   Reference: https://github.com/p3nt4/PowerShdll
*/

rule PowerShdll {
   meta:
      description = "Detects hack tool PowerShdll"
      author = "Florian Roth"
      reference = "https://github.com/p3nt4/PowerShdll"
      date = "2017-08-03"
      hash1 = "4d33bc7cfa79d7eefc5f7a99f1b052afdb84895a411d7c30045498fd4303898a"
      hash2 = "f999db9cc3a0719c19f35f0e760f4ce3377b31b756d8cd91bb8270acecd7be7d"
   strings:
      $x1 = "rundll32 PowerShdll,main -f <path>" fullword wide
      $x2 = "\\PowerShdll.dll" fullword ascii
      $x3 = "rundll32 PowerShdll,main <script>" fullword wide
   condition:
      1 of them
}
PowerShdll 2017-08-21 13:03:29 +00:00			`/*`
			`Yara Rule Set`
			`Author: Florian Roth`
			`Date: 2017-08-03`
			`Identifier: PowerShell Hacktools`
			`Reference: https://github.com/p3nt4/PowerShdll`
			`*/`

			`rule PowerShdll {`
			`meta:`
			`description = "Detects hack tool PowerShdll"`
			`author = "Florian Roth"`
			`reference = "https://github.com/p3nt4/PowerShdll"`
			`date = "2017-08-03"`
			`hash1 = "4d33bc7cfa79d7eefc5f7a99f1b052afdb84895a411d7c30045498fd4303898a"`
			`hash2 = "f999db9cc3a0719c19f35f0e760f4ce3377b31b756d8cd91bb8270acecd7be7d"`
			`strings:`
			`$x1 = "rundll32 PowerShdll,main -f <path>" fullword wide`
			`$x2 = "\\PowerShdll.dll" fullword ascii`
			`$x3 = "rundll32 PowerShdll,main <script>" fullword wide`
			`condition:`
			`1 of them`
			`}`