76 lines
No EOL
3 KiB
Text
76 lines
No EOL
3 KiB
Text
|
|
rule PowerShell_Susp_Parameter_Combo : HIGHVOL FILE {
|
|
meta:
|
|
description = "Detects PowerShell invocation with suspicious parameters"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/uAic1X"
|
|
date = "2017-03-12"
|
|
modified = "2022-09-15"
|
|
score = 60
|
|
id = "17c707f3-7f51-5772-9874-a96c220960a7"
|
|
strings:
|
|
/* Encoded Command */
|
|
$sa1 = " -enc " ascii wide nocase
|
|
$sa2 = " -EncodedCommand " ascii wide nocase
|
|
$sa3 = " /enc " ascii wide nocase
|
|
$sa4 = " /EncodedCommand " ascii wide nocase
|
|
|
|
/* Window Hidden */
|
|
$sb1 = " -w hidden " ascii wide nocase
|
|
$sb2 = " -window hidden " ascii wide nocase
|
|
$sb3 = " -windowstyle hidden " ascii wide nocase
|
|
$sb4 = " /w hidden " ascii wide nocase
|
|
$sb5 = " /window hidden " ascii wide nocase
|
|
$sb6 = " /windowstyle hidden " ascii wide nocase
|
|
|
|
/* Non Profile */
|
|
$sc1 = " -nop " ascii wide nocase
|
|
$sc2 = " -noprofile " ascii wide nocase
|
|
$sc3 = " /nop " ascii wide nocase
|
|
$sc4 = " /noprofile " ascii wide nocase
|
|
|
|
/* Non Interactive */
|
|
$sd1 = " -noni " ascii wide nocase
|
|
$sd2 = " -noninteractive " ascii wide nocase
|
|
$sd3 = " /noni " ascii wide nocase
|
|
$sd4 = " /noninteractive " ascii wide nocase
|
|
|
|
/* Exec Bypass */
|
|
$se1 = " -ep bypass " ascii wide nocase
|
|
$se2 = " -exec bypass " ascii wide nocase
|
|
$se3 = " -executionpolicy bypass " ascii wide nocase
|
|
$se4 = " -exec bypass " ascii wide nocase
|
|
$se5 = " /ep bypass " ascii wide nocase
|
|
$se6 = " /exec bypass " ascii wide nocase
|
|
$se7 = " /executionpolicy bypass " ascii wide nocase
|
|
$se8 = " /exec bypass " ascii wide nocase
|
|
|
|
/* Single Threaded - PowerShell Empire */
|
|
$sf1 = " -sta " ascii wide
|
|
$sf2 = " /sta " ascii wide
|
|
|
|
$fp1 = "Chocolatey Software" ascii wide
|
|
$fp2 = "VBOX_MSI_INSTALL_PATH" ascii wide
|
|
$fp3 = "\\Local\\Temp\\en-US.ps1" ascii wide
|
|
$fp4 = "Lenovo Vantage - Battery Gauge Helper" wide fullword
|
|
$fp5 = "\\LastPass\\lpwinmetro\\AppxUpgradeUwp.ps1" ascii
|
|
$fp6 = "# use the encoded form to mitigate quoting complications that full scriptblock transfer exposes" ascii /* MS TSSv2 - https://docs.microsoft.com/en-us/troubleshoot/windows-client/windows-troubleshooters/introduction-to-troubleshootingscript-toolset-tssv2 */
|
|
$fp7 = "Write-AnsibleLog \"INFO - s" ascii
|
|
$fp8 = "\\Packages\\Matrix42\\" ascii
|
|
$fp9 = "echo " ascii
|
|
$fp10 = "install" ascii fullword
|
|
$fp11 = "REM " ascii
|
|
$fp12 = "set /p " ascii
|
|
$fp13 = "rxScan Application" wide
|
|
|
|
$fpa1 = "All Rights"
|
|
$fpa2 = "<html"
|
|
$fpa2b = "<HTML"
|
|
$fpa3 = "Copyright"
|
|
$fpa4 = "License"
|
|
$fpa5 = "<?xml"
|
|
$fpa6 = "Help" fullword
|
|
$fpa7 = "COPYRIGHT"
|
|
condition:
|
|
filesize < 3000KB and 4 of ($s*) and not 1 of ($fp*) and uint32be(0) != 0x456C6646 /* EVTX - we don't wish to mix the entries together */
|
|
} |