2017-09-11 22:19:38 +00:00
|
|
|
/* This is an extract from THOR's anomaly detection rule set */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Yara Rule Set
|
|
|
|
|
Author: Florian Roth
|
|
|
|
|
Date: 2017-08-11
|
|
|
|
|
Identifier: PowerShell Anomalies
|
|
|
|
|
Reference: https://twitter.com/danielhbohannon/status/905096106924761088
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
rule PowerShell_Case_Anomaly {
|
|
|
|
|
meta:
|
|
|
|
|
description = "Detects obfuscated PowerShell hacktools"
|
|
|
|
|
author = "Florian Roth"
|
|
|
|
|
reference = "https://twitter.com/danielhbohannon/status/905096106924761088"
|
|
|
|
|
date = "2017-08-11"
|
2017-10-03 17:36:54 +00:00
|
|
|
score = 70
|
2017-09-11 22:19:38 +00:00
|
|
|
strings:
|
|
|
|
|
// first detect 'powershell' keyword case insensitive
|
2017-10-11 08:13:10 +00:00
|
|
|
$s1 = "powershell" fullword nocase ascii wide
|
2017-09-11 22:19:38 +00:00
|
|
|
// define the normal cases
|
2017-10-11 08:37:33 +00:00
|
|
|
$sr1 = /(powershell|Powershell|PowerShell|POWERSHELL|powerShell)/ fullword ascii wide
|
2017-10-11 08:13:10 +00:00
|
|
|
// define the normal cases
|
|
|
|
|
$sn1 = "powershell" fullword ascii wide
|
|
|
|
|
$sn2 = "Powershell" fullword ascii wide
|
|
|
|
|
$sn3 = "PowerShell" fullword ascii wide
|
|
|
|
|
$sn4 = "POWERSHELL" fullword ascii wide
|
2017-11-30 14:13:36 +00:00
|
|
|
$sn5 = "powerShell" fullword ascii wide
|
2017-10-11 08:13:10 +00:00
|
|
|
|
2017-10-14 21:00:13 +00:00
|
|
|
// PowerShell with \x19\x00\x00
|
|
|
|
|
$a1 = "wershell -e " nocase wide ascii
|
|
|
|
|
// expected casing
|
|
|
|
|
$an1 = "wershell -e " wide ascii
|
|
|
|
|
$an2 = "werShell -e " wide ascii
|
|
|
|
|
|
2017-10-11 08:13:10 +00:00
|
|
|
// adding a keyword with a sufficent length and relevancy
|
|
|
|
|
$k1 = "-noprofile" fullword nocase ascii wide
|
|
|
|
|
// define normal cases
|
|
|
|
|
$kn1 = "-noprofile" ascii wide
|
|
|
|
|
$kn2 = "-NoProfile" ascii wide
|
|
|
|
|
$kn3 = "-noProfile" ascii wide
|
|
|
|
|
$kn4 = "-NOPROFILE" ascii wide
|
2018-01-22 07:44:49 +00:00
|
|
|
$kn5 = "-Noprofile" ascii wide
|
2017-10-11 08:13:10 +00:00
|
|
|
condition:
|
2017-10-14 21:00:13 +00:00
|
|
|
filesize < 800KB and (
|
|
|
|
|
// find all 'powershell' occurances and ignore the expected cases
|
|
|
|
|
( #s1 < 3 and #sr1 > 0 and #s1 > #sr1 ) or
|
|
|
|
|
( $s1 and not 1 of ($sn*) ) or
|
|
|
|
|
( $a1 and not 1 of ($an*) ) or
|
|
|
|
|
// find all '-norpofile' occurances and ignore the expected cases
|
|
|
|
|
( $k1 and not 1 of ($kn*) )
|
|
|
|
|
)
|
2017-10-11 08:13:10 +00:00
|
|
|
}
|
|
|
|
|
|
2017-10-03 17:36:54 +00:00
|
|
|
rule WScriptShell_Case_Anomaly {
|
|
|
|
|
meta:
|
|
|
|
|
description = "Detects obfuscated wscript.shell commands"
|
|
|
|
|
author = "Florian Roth"
|
|
|
|
|
reference = "Internal Research"
|
|
|
|
|
date = "2017-09-11"
|
|
|
|
|
score = 60
|
|
|
|
|
strings:
|
|
|
|
|
// first detect powershell keyword case insensitive
|
|
|
|
|
$s1 = "WScript.Shell\").Run" nocase ascii wide
|
|
|
|
|
// define the normal cases
|
|
|
|
|
$sn1 = "WScript.Shell\").Run" ascii wide
|
|
|
|
|
$sn2 = "wscript.shell\").run" ascii wide
|
|
|
|
|
$sn3 = "WSCRIPT.SHELL\").RUN" ascii wide
|
|
|
|
|
$sn4 = "Wscript.Shell\").Run" ascii wide
|
2018-02-20 19:12:00 +00:00
|
|
|
$sn5 = "WScript.Shell\").Run" ascii wide
|
|
|
|
|
$sn6 = "WScript.shell\").Run" ascii wide
|
2017-10-03 17:36:54 +00:00
|
|
|
condition:
|
|
|
|
|
filesize < 800KB and
|
|
|
|
|
( $s1 and not 1 of ($sn*) )
|
2017-10-11 08:13:10 +00:00
|
|
|
}
|
