2017-06-23 09:29:56 +00:00
|
|
|
/*
|
|
|
|
|
Yara Rule Set
|
|
|
|
|
Author: Florian Roth
|
|
|
|
|
Date: 2017-06-22
|
|
|
|
|
Identifier: ISESteroids
|
|
|
|
|
Reference: https://twitter.com/danielhbohannon/status/877953970437844993
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
|
|
|
|
|
|
rule PowerShell_ISESteroids_Obfuscation {
|
|
|
|
|
meta:
|
|
|
|
|
description = "Detects PowerShell ISESteroids obfuscation"
|
2018-08-26 10:47:41 +00:00
|
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
2017-06-23 09:29:56 +00:00
|
|
|
author = "Florian Roth"
|
|
|
|
|
reference = "https://twitter.com/danielhbohannon/status/877953970437844993"
|
|
|
|
|
date = "2017-06-23"
|
|
|
|
|
strings:
|
|
|
|
|
$x1 = "/\\/===\\__" ascii
|
|
|
|
|
$x2 = "${__/\\/==" ascii
|
|
|
|
|
$x3 = "Catch { }" fullword ascii
|
|
|
|
|
$x4 = "\\_/=} ${_" ascii
|
|
|
|
|
condition:
|
|
|
|
|
2 of them
|
|
|
|
|
}
|
2018-12-13 13:25:01 +00:00
|
|
|
|
|
|
|
|
rule SUSP_Obfuscted_PowerShell_Code {
|
|
|
|
|
meta:
|
|
|
|
|
description = "Detects obfuscated PowerShell Code"
|
|
|
|
|
date = "2018-12-13"
|
|
|
|
|
author = "Florian Roth"
|
|
|
|
|
reference = "https://twitter.com/silv0123/status/1073072691584880640"
|
|
|
|
|
strings:
|
|
|
|
|
$s1 = "').Invoke(" ascii
|
|
|
|
|
$s2 = "(\"{1}{0}\"" ascii
|
|
|
|
|
$s3 = "{0}\" -f" ascii
|
|
|
|
|
condition:
|
|
|
|
|
#s1 > 11 and #s2 > 10 and #s3 > 10
|
|
|
|
|
}
|
