Sneed-Reactivity/yara-Neo23x0/gen_susp_ps_jab.yar

30 lines
1.3 KiB
Text
Raw Normal View History

rule SUSP_PS1_JAB_Pattern_Jun22_1 {
meta:
description = "Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2022-06-10"
score= 70
id = "9ecca7d9-3b63-5615-a223-5efa1c53510e"
strings:
/*
with spaces : $c = $
https://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)Encode_text('UTF-16LE%20(1200)')To_Base64('A-Za-z0-9%2B/%3D')Encode_text('UTF-16LE%20(1200)'/disabled)To_Hex('Space',0)&input=JHAgPSAkRW52OnRlbQokeCA9ICRteXZhcjsKJHggPSBJbnZva2Ut
*/
/* ASCII */
$xc1 = { 4a 41 42 ?? 41 43 41 41 50 51 41 67 41 }
/* UTF-16 encoded */
$xc2 = { 4a 00 41 00 42 00 ?? 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41 }
/*
without spaces : $c=$
https://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)Encode_text('UTF-16LE%20(1200)')To_Base64('A-Za-z0-9%2B/%3D')Encode_text('UTF-16LE%20(1200)'/disabled)To_Hex('Space',0)&input=JHA9JEVudjp0ZW0KJHg9JG15dmFyOwokeD1JbnZva2Ut
*/
/* ASCII */
$xc3 = { 4a 41 42 ?? 41 44 30 41 }
/* UTF-16 encoded */
$xc4 = { 4a 00 41 00 42 00 ?? 00 41 00 44 00 30 00 41 }
condition:
filesize < 30MB and 1 of them
}