Sneed-Reactivity/yara-Neo23x0/gen_case_anomalies.yar

85 lines
3.1 KiB
Text
Raw Normal View History

/* This is an extract from THOR's anomaly detection rule set */
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-08-11
Identifier: PowerShell Anomalies
Reference: https://twitter.com/danielhbohannon/status/905096106924761088
*/
rule PowerShell_Case_Anomaly {
meta:
description = "Detects obfuscated PowerShell hacktools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/danielhbohannon/status/905096106924761088"
date = "2017-08-11"
modified = "2022-06-12"
score = 70
id = "41c97d15-c167-5bdd-a8b4-871d14f66fe1"
strings:
// first detect 'powershell' keyword case insensitive
$s1 = "powershell" nocase ascii wide
// define the normal cases
$sn1 = "powershell" ascii wide
$sn2 = "Powershell" ascii wide
$sn3 = "PowerShell" ascii wide
$sn4 = "POWERSHELL" ascii wide
$sn5 = "powerShell" ascii wide
$sn6 = "PowerShelL" ascii wide /* PSGet.Resource.psd1 - part of PowerShellGet */
$sn7 = "PowershelL" ascii wide /* SCVMM.dll - part of Citrix */
// PowerShell with \x19\x00\x00
$a1 = "wershell -e " nocase wide ascii
// expected casing
$an1 = "wershell -e " wide ascii
$an2 = "werShell -e " wide ascii
// adding a keyword with a sufficent length and relevancy
$k1 = "-noprofile" fullword nocase ascii wide
// define normal cases
$kn1 = "-noprofile" ascii wide
$kn2 = "-NoProfile" ascii wide
$kn3 = "-noProfile" ascii wide
$kn4 = "-NOPROFILE" ascii wide
$kn5 = "-Noprofile" ascii wide
$fp1 = "Microsoft Code Signing" ascii fullword
$fp2 = "Microsoft Corporation" ascii
$fp3 = "Microsoft.Azure.Commands.ContainerInstance" wide
$fp4 = "# Localized PSGet.Resource.psd1" wide
condition:
filesize < 800KB and (
// find all 'powershell' occurrences and ignore the expected cases
( #s1 > #sn1 + #sn2 + #sn3 + #sn4 + #sn5 + #sn6 + #sn7 ) or
( #a1 > #an1 + #an2 ) or
// find all '-noprofile' occurrences and ignore the expected cases
( #k1 > #kn1 + #kn2 + #kn3 + #kn4 + #kn5 )
) and not 1 of ($fp*)
}
rule WScriptShell_Case_Anomaly {
meta:
description = "Detects obfuscated wscript.shell commands"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-09-11"
modified = "2022-06-09"
score = 60
id = "d69d932d-1e39-5259-9200-f0227754f49c"
strings:
// first detect powershell keyword case insensitive
$s1 = "WScript.Shell\").Run" nocase ascii wide
// define the normal cases
$sn1 = "WScript.Shell\").Run" ascii wide
$sn2 = "wscript.shell\").run" ascii wide
$sn3 = "WSCRIPT.SHELL\").RUN" ascii wide
$sn4 = "Wscript.Shell\").Run" ascii wide
$sn5 = "WScript.shell\").Run" ascii wide
condition:
filesize < 3000KB and
#s1 > #sn1 + #sn2 + #sn3 + #sn4 + #sn5
}