30 lines
1.3 KiB
Text
30 lines
1.3 KiB
Text
|
|
||
|
rule SUSP_PS1_JAB_Pattern_Jun22_1 {
|
||
|
meta:
|
||
|
description = "Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Internal Research"
|
||
|
date = "2022-06-10"
|
||
|
score= 70
|
||
|
id = "9ecca7d9-3b63-5615-a223-5efa1c53510e"
|
||
|
strings:
|
||
|
/*
|
||
|
with spaces : $c = $
|
||
|
https://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)Encode_text('UTF-16LE%20(1200)')To_Base64('A-Za-z0-9%2B/%3D')Encode_text('UTF-16LE%20(1200)'/disabled)To_Hex('Space',0)&input=JHAgPSAkRW52OnRlbQokeCA9ICRteXZhcjsKJHggPSBJbnZva2Ut
|
||
|
*/
|
||
|
/* ASCII */
|
||
|
$xc1 = { 4a 41 42 ?? 41 43 41 41 50 51 41 67 41 }
|
||
|
/* UTF-16 encoded */
|
||
|
$xc2 = { 4a 00 41 00 42 00 ?? 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41 }
|
||
|
/*
|
||
|
without spaces : $c=$
|
||
|
https://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)Encode_text('UTF-16LE%20(1200)')To_Base64('A-Za-z0-9%2B/%3D')Encode_text('UTF-16LE%20(1200)'/disabled)To_Hex('Space',0)&input=JHA9JEVudjp0ZW0KJHg9JG15dmFyOwokeD1JbnZva2Ut
|
||
|
*/
|
||
|
/* ASCII */
|
||
|
$xc3 = { 4a 41 42 ?? 41 44 30 41 }
|
||
|
/* UTF-16 encoded */
|
||
|
$xc4 = { 4a 00 41 00 42 00 ?? 00 41 00 44 00 30 00 41 }
|
||
|
condition:
|
||
|
filesize < 30MB and 1 of them
|
||
|
}
|