Sneed-Reactivity/yara-mikesxrs/Cado Security/Powershell_Downloader_POWERGAP.yar

rule Powershell_Downloader_POWERGAP {
    meta:
        description = "Detects POWERGAP downloader used against Ukrainian ICS"
        reference = "https://github.com/cado-security/DFIR_Resources_Industroyer2"
        author = "mmuir@cadosecurity.com"
        date = "2022-04-12"
        license = "Apache License 2.0"
    strings:
        $a = "Start-work" ascii
        $b = "$GpoGuid" ascii
        $c = "$SourceFile" ascii
        $d = "$DestinationFile" ascii
        $e = "$appName" ascii
	$f = "LDAP://ROOTDSE" ascii
	$g = "GPT.INI" ascii
	$h = "Get-WmiObject" ascii
    condition:
        5 of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule Powershell_Downloader_POWERGAP {`
			`meta:`
			`description = "Detects POWERGAP downloader used against Ukrainian ICS"`
			`reference = "https://github.com/cado-security/DFIR_Resources_Industroyer2"`
			`author = "mmuir@cadosecurity.com"`
			`date = "2022-04-12"`
			`license = "Apache License 2.0"`
			`strings:`
			`$a = "Start-work" ascii`
			`$b = "$GpoGuid" ascii`
			`$c = "$SourceFile" ascii`
			`$d = "$DestinationFile" ascii`
			`$e = "$appName" ascii`
			`$f = "LDAP://ROOTDSE" ascii`
			`$g = "GPT.INI" ascii`
			`$h = "Get-WmiObject" ascii`
			`condition:`
			`5 of them`
			`}`