19 lines
609 B
Text
19 lines
609 B
Text
rule Powershell_Downloader_POWERGAP {
|
|
meta:
|
|
description = "Detects POWERGAP downloader used against Ukrainian ICS"
|
|
reference = "https://github.com/cado-security/DFIR_Resources_Industroyer2"
|
|
author = "mmuir@cadosecurity.com"
|
|
date = "2022-04-12"
|
|
license = "Apache License 2.0"
|
|
strings:
|
|
$a = "Start-work" ascii
|
|
$b = "$GpoGuid" ascii
|
|
$c = "$SourceFile" ascii
|
|
$d = "$DestinationFile" ascii
|
|
$e = "$appName" ascii
|
|
$f = "LDAP://ROOTDSE" ascii
|
|
$g = "GPT.INI" ascii
|
|
$h = "Get-WmiObject" ascii
|
|
condition:
|
|
5 of them
|
|
}
|