/* Yara Rule Set Author: Florian Roth Date: 2017-02-23 Identifier: Suspicious PowerShell Script Code */ /* Rule Set ----------------------------------------------------------------- */ rule WordDoc_PowerShell_URLDownloadToFile { meta: description = "Detects Word Document with PowerShell URLDownloadToFile" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.arbornetworks.com/blog/asert/additional-insights-shamoon2/" date = "2017-02-23" super_rule = 1 hash1 = "33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e" hash2 = "388b26e22f75a723ce69ad820b61dd8b75e260d3c61d74ff21d2073c56ea565d" hash3 = "71e584e7e1fb3cf2689f549192fe3a82fd4cd8ee7c42c15d736ebad47b028087" id = "f76c5f91-f67c-5754-b771-73383aba4d64" strings: $w1 = "Microsoft Forms 2.0 CommandButton" fullword ascii $w2 = "Microsoft Word 97-2003 Document" fullword ascii $p1 = "powershell.exe" fullword ascii $p2 = "URLDownloadToFile" fullword ascii condition: ( uint16(0) == 0xcfd0 and 1 of ($w*) and all of ($p*) ) } rule Suspicious_PowerShell_Code_1 : FILE { meta: description = "Detects suspicious PowerShell code" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" score = 60 reference = "Internal Research" date = "2017-02-22" id = "ec3c3682-d2de-52b7-bb49-b021ddf7f8ac" strings: $s1 = /$[a-z]=new-object net.webclient/ ascii $s2 = /$[a-z].DownloadFile\("http:/ ascii $s3 = /IEX $[a-zA-Z]{1,8}.downloadstring\(["']http/ ascii nocase $s4 = "powershell.exe -w hidden -ep bypass -Enc" ascii $s5 = "-w hidden -noni -nop -c \"iex(New-Object" ascii $s6 = "powershell.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run" nocase condition: 1 of them } rule Suspicious_PowerShell_WebDownload_1 : HIGHVOL FILE { meta: description = "Detects suspicious PowerShell code that downloads from web sites" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" score = 60 reference = "Internal Research" date = "2017-02-22" modified = "2024-04-03" nodeepdive = 1 id = "a763fb82-c840-531b-b631-f282bf035020" strings: $s1 = "System.Net.WebClient).DownloadString(\"http" ascii nocase $s2 = "System.Net.WebClient).DownloadString('http" ascii nocase $s3 = "system.net.webclient).downloadfile('http" ascii nocase $s4 = "system.net.webclient).downloadfile(\"http" ascii nocase $s5 = "GetString([Convert]::FromBase64String(" ascii nocase $fp1 = "NuGet.exe" ascii fullword $fp2 = "chocolatey.org" ascii $fp3 = " GET /" $fp4 = " POST /" $fp5 = ".DownloadFile('https://aka.ms/installazurecliwindows', 'AzureCLI.msi')" ascii $fp6 = " 404 " /* in web server logs */ $fp7 = "# RemoteSSHConfigurationScript" ascii /* \.vscode\extensions\ms-vscode-remote.remote-ssh */ $fp8 = "