Suspicious PowerShell Code

2024-11-06 18:15:20 +00:00 · 2017-02-23 17:13:04 +01:00 · 2017-02-23 17:13:04 +01:00 · 8dc9ba46d5
commit 8dc9ba46d5
parent a4544d7c2a
1 changed files with 60 additions and 0 deletions
--- a/yara/gen_powershell_susp.yar
+++ b/yara/gen_powershell_susp.yar
@ -0,0 +1,60 @@
+/*
+   Yara Rule Set
+   Author: Florian Roth
+   Date: 2017-02-23
+   Identifier: Suspicious PowerShell Script Code
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule WordDoc_PowerShell_URLDownloadToFile {
+   meta:
+      description = "Detects Word Document with PowerShell URLDownloadToFile"
+      author = "Florian Roth"
+      reference = "https://www.arbornetworks.com/blog/asert/additional-insights-shamoon2/"
+      date = "2017-02-23"
+      super_rule = 1
+      hash1 = "33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e"
+      hash2 = "388b26e22f75a723ce69ad820b61dd8b75e260d3c61d74ff21d2073c56ea565d"
+      hash3 = "71e584e7e1fb3cf2689f549192fe3a82fd4cd8ee7c42c15d736ebad47b028087"
+   strings:
+      $w1 = "Microsoft Forms 2.0 CommandButton" fullword ascii
+      $w2 = "Microsoft Word 97-2003 Document" fullword ascii
+
+      $p1 = "powershell.exe" fullword ascii
+      $p2 = "URLDownloadToFile" fullword ascii
+   condition:
+      ( uint16(0) == 0xcfd0 and 1 of ($w*) and all of ($p*) )
+}
+
+rule Suspicious_PowerShell_Code_1 {
+   meta:
+      description = "Detects suspicious PowerShell code"
+      author = "Florian Roth"
+		score = 60
+      reference = "Internal Research"
+      date = "2017-02-22"
+   strings:
+      $s1 = /$[a-z]=new-object net.webclient/ ascii
+      $s2 = /$[a-z].DownloadFile("http:/ ascii
+      $s3 = /IEX $[a-zA-Z]{1,8}.downloadstring(["']http/ ascii nocase
+		$s4 = "powershell.exe -w hidden -ep bypass -Enc" ascii
+		$s5 = "-w hidden -noni -nop -c \"iex(New-Object" ascii
+		$s6 = "powershell.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run" nocase
+   condition:
+      1 of them
+}
+
+rule Suspicious_PowerShell_WebDownload_1 {
+   meta:
+      description = "Detects suspicious PowerShell code that downloads from web sites"
+      author = "Florian Roth"
+		score = 60
+      reference = "Internal Research"
+      date = "2017-02-22"
+   strings:
+      $s1 = "System.Net.WebClient).DownloadString(\"http" ascii nocase
+		$s2 = "System.Net.WebClient).DownloadString('http" ascii nocase
+   condition:
+      1 of them
+}