2017-03-12 16:06:18 +00:00
|
|
|
|
|
|
|
|
rule PowerShell_Susp_Parameter_Combo {
|
|
|
|
|
meta:
|
|
|
|
|
description = "Detects PowerShell invocation with suspicious parameters"
|
|
|
|
|
author = "Florian Roth"
|
|
|
|
|
reference = "https://goo.gl/uAic1X"
|
|
|
|
|
date = "2017-03-12"
|
|
|
|
|
score = 60
|
2017-10-18 19:58:57 +00:00
|
|
|
type = "file"
|
2017-03-12 16:06:18 +00:00
|
|
|
strings:
|
|
|
|
|
/* Encoded Command */
|
2019-01-17 12:18:07 +00:00
|
|
|
$sa1 = " -enc " ascii nocase
|
|
|
|
|
$sa2 = " -EncodedCommand " ascii nocase
|
2017-03-12 16:06:18 +00:00
|
|
|
|
|
|
|
|
/* Window Hidden */
|
2019-01-17 12:18:07 +00:00
|
|
|
$sb1 = " -w hidden " ascii nocase
|
|
|
|
|
$sb2 = " -window hidden " ascii nocase
|
|
|
|
|
$sb3 = " -windowstyle hidden " ascii nocase
|
2017-03-12 16:06:18 +00:00
|
|
|
|
|
|
|
|
/* Non Profile */
|
2019-01-17 12:18:07 +00:00
|
|
|
$sc1 = " -nop " ascii nocase
|
|
|
|
|
$sc2 = " -noprofile " ascii nocase
|
2017-03-12 16:06:18 +00:00
|
|
|
|
|
|
|
|
/* Non Interactive */
|
2019-01-17 12:18:07 +00:00
|
|
|
$sd1 = " -noni " ascii nocase
|
|
|
|
|
$sd2 = " -noninteractive " ascii nocase
|
2017-03-12 16:06:18 +00:00
|
|
|
|
|
|
|
|
/* Exec Bypass */
|
2019-01-17 12:18:07 +00:00
|
|
|
$se1 = " -ep bypass " ascii nocase
|
|
|
|
|
$se2 = " -exec bypass " ascii nocase
|
|
|
|
|
$se3 = " -executionpolicy bypass " ascii nocase
|
|
|
|
|
$se4 = " -exec bypass " ascii nocase
|
2017-03-12 16:06:18 +00:00
|
|
|
|
|
|
|
|
/* Single Threaded - PowerShell Empire */
|
2019-01-17 12:18:07 +00:00
|
|
|
$sf1 = " -sta " ascii
|
|
|
|
|
|
2019-01-17 12:12:27 +00:00
|
|
|
$fp1 = "Chocolatey Software"
|
|
|
|
|
$fp2 = "VBOX_MSI_INSTALL_PATH"
|
2017-03-12 16:06:18 +00:00
|
|
|
condition:
|
2019-01-17 12:12:27 +00:00
|
|
|
filesize < 3000KB and 4 of ($s*) and not 1 of ($fp*)
|
2017-03-12 16:06:18 +00:00
|
|
|
}
|
