PowerShell Caret Obfuscation Rule

yara/gen_powershell_obfuscation.yar

@@ -37,3 +37,16 @@ rule SUSP_Obfuscted_PowerShell_Code {
    condition:
       #s1 > 11 and #s2 > 10 and #s3 > 10
 }
+
+rule SUSP_PowerShell_Caret_Obfuscation_2 {
+   meta:
+      description = "Detects powershell keyword obfuscated with carets"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-07-20"
+   strings:
+      $r1 = /p[\^]?o[\^]?w[\^]?e[\^]?r[\^]?s[\^]?h[\^]?e[\^]?l\^l/ ascii wide nocase fullword
+      $r2 = /p\^o[\^]?w[\^]?e[\^]?r[\^]?s[\^]?h[\^]?e[\^]?l[\^]?l/ ascii wide nocase fullword
+   condition:
+      1 of them
+}