From f44c9b9fcbb1fb31620de2bcf7c14e1e2c7b8561 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 3 Oct 2017 19:36:54 +0200
Subject: [PATCH] PowerShell improved casing anomaly rule, WScript anomaly rule

---
 yara/gen_case_anomalies.yar | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/yara/gen_case_anomalies.yar b/yara/gen_case_anomalies.yar
index d91a96f..d01e6dc 100644
--- a/yara/gen_case_anomalies.yar
+++ b/yara/gen_case_anomalies.yar
@@ -14,14 +14,12 @@ rule PowerShell_Case_Anomaly {
       author = "Florian Roth"
       reference = "https://twitter.com/danielhbohannon/status/905096106924761088"
       date = "2017-08-11"
+      score = 70
    strings:
       // first detect 'powershell' keyword case insensitive
-      $s1 = "powershell" fullword nocase ascii wide
+      $s1 = "powershell" fullword nocase ascii
       // define the normal cases
-      $sn1 = "powershell" fullword ascii wide
-      $sn2 = "Powershell" fullword ascii wide
-      $sn3 = "PowerShell" fullword ascii wide
-      $sn4 = "POWERSHELL" fullword ascii wide
+      $sn1 = /(powershell|Powershell|PowerShell|POWERSHELL|powerShell)/ fullword ascii
 
       // adding a keyword with a sufficent length and relevancy
       $k1 = "-noprofile" fullword nocase ascii wide
@@ -33,7 +31,27 @@ rule PowerShell_Case_Anomaly {
    condition:
       filesize < 800KB and
       // find all 'powershell' occurances and ignore the expected cases
-      ( ( $s1 and not 1 of ($sn*) ) or
+      ( ( #s1 < 3 and #s1 > #sn1 ) or
       // find all '-norpofile' occurances and ignore the expected cases
       ( $k1 and not 1 of ($kn*) ) )
+}
+
+rule WScriptShell_Case_Anomaly {
+   meta:
+      description = "Detects obfuscated wscript.shell commands"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-09-11"
+      score = 60
+   strings:
+      // first detect powershell keyword case insensitive
+      $s1 = "WScript.Shell\").Run" nocase ascii wide
+      // define the normal cases
+      $sn1 = "WScript.Shell\").Run" ascii wide
+      $sn2 = "wscript.shell\").run" ascii wide
+      $sn3 = "WSCRIPT.SHELL\").RUN" ascii wide
+      $sn4 = "Wscript.Shell\").Run" ascii wide
+   condition:
+      filesize < 800KB and
+      ( $s1 and not 1 of ($sn*) )
 }
\ No newline at end of file