signature-base/yara/gen_powershell_obfuscation.yar

/*
   Yara Rule Set
   Author: Florian Roth
   Date: 2017-06-22
   Identifier: ISESteroids
   Reference: https://twitter.com/danielhbohannon/status/877953970437844993
*/

/* Rule Set ----------------------------------------------------------------- */

rule PowerShell_ISESteroids_Obfuscation {
   meta:
      description = "Detects PowerShell ISESteroids obfuscation"
      author = "Florian Roth"
      reference = "https://twitter.com/danielhbohannon/status/877953970437844993"
      date = "2017-06-23"
   strings:
      $x1 = "/\\/===\\__" ascii
      $x2 = "${__/\\/==" ascii
      $x3 = "Catch { }" fullword ascii
      $x4 = "\\_/=} ${_" ascii
   condition:
      2 of them
}
PowerShell Obfuscation - 1st rule for LOKI 2017-06-23 09:29:56 +00:00			`/*`
			`Yara Rule Set`
			`Author: Florian Roth`
			`Date: 2017-06-22`
			`Identifier: ISESteroids`
			`Reference: https://twitter.com/danielhbohannon/status/877953970437844993`
			`*/`

			`/* Rule Set ----------------------------------------------------------------- */`

			`rule PowerShell_ISESteroids_Obfuscation {`
			`meta:`
			`description = "Detects PowerShell ISESteroids obfuscation"`
			`author = "Florian Roth"`
			`reference = "https://twitter.com/danielhbohannon/status/877953970437844993"`
			`date = "2017-06-23"`
			`strings:`
			`$x1 = "/\\/===\\__" ascii`
			`$x2 = "${__/\\/==" ascii`
			`$x3 = "Catch { }" fullword ascii`
			`$x4 = "\\_/=} ${_" ascii`
			`condition:`
			`2 of them`
			`}`