mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-07 02:25:19 +00:00
45 lines
1.3 KiB
Plaintext
45 lines
1.3 KiB
Plaintext
|
|
/* Various rules - see the references */
|
|
|
|
rule PS_AMSI_Bypass {
|
|
meta:
|
|
description = "Detects PowerShell AMSI Bypass"
|
|
author = "Florian Roth"
|
|
reference = "https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1"
|
|
date = "2017-07-19"
|
|
score = 70
|
|
strings:
|
|
$s1 = ".GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static')." ascii nocase
|
|
condition:
|
|
1 of them
|
|
}
|
|
|
|
rule JS_Suspicious_Obfuscation_Dropbox {
|
|
meta:
|
|
description = "Detects PowerShell AMSI Bypass"
|
|
author = "Florian Roth"
|
|
reference = "https://twitter.com/ItsReallyNick/status/887705105239343104"
|
|
date = "2017-07-19"
|
|
score = 70
|
|
strings:
|
|
$x1 = "j\"+\"a\"+\"v\"+\"a\"+\"s\"+\"c\"+\"r\"+\"i\"+\"p\"+\"t\""
|
|
$x2 = "script:https://www.dropbox.com" ascii
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule JS_Suspicious_MSHTA_Bypass {
|
|
meta:
|
|
description = "Detects MSHTA Bypass"
|
|
author = "Florian Roth"
|
|
reference = "https://twitter.com/ItsReallyNick/status/887705105239343104"
|
|
date = "2017-07-19"
|
|
score = 70
|
|
strings:
|
|
$s1 = "mshtml,RunHTMLApplication" ascii
|
|
$s2 = "new ActiveXObject(\"WScript.Shell\").Run(" ascii
|
|
$s3 = "/c start mshta j" ascii nocase
|
|
condition:
|
|
2 of them
|
|
}
|