update: powershell loaders rule

ANARCYPHER · May 11, 2021 · 241e291 · 241e291
1 parent dd78209
commit 241e291
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/yara/powershell_loaders.yar b/yara/powershell_loaders.yar
@@ -3,13 +3,16 @@ rule SUSP_PowerShell_Loader_Generic {
       description = "Detects different kinds of PowerShell loaders"
       author = "Florian Roth"
       date = "2020-12-10"
+      modified = "2021-05-11"
       score = 60
       reference = "https://app.any.run/tasks/93fa402c-c6d7-4bc6-bf88-1ec954ae7f51/"
+      reference2 = "https://app.any.run/tasks/d9d249db-f583-46e5-b774-511f28370aad/"
    strings:
       /* catch the ones that are easy to catch */
       $s1 = "powershell" ascii nocase
       $s2 = "-w hidden" ascii nocase
       $s3 = " -e" nocase
+      $s4 = " -command " ascii
       
       $enc01 = " IABz"
       $enc02 = " IABT"
@@ -21,6 +24,7 @@ rule SUSP_PowerShell_Loader_Generic {
       $enc08 = " aWV4I"
       $enc09 = " SQBFAFgA"
       $enc10 = " aQBlAHgA"
+      $enc11 = "SW52b2tlLVdlYlJlcXVlc3Q"
 
       /* catch the ones that try to hide */
       $p1 = "powershell" nocase fullword 
@@ -33,7 +37,7 @@ rule SUSP_PowerShell_Loader_Generic {
       $pf5 = "powerShell" fullword
    condition:
       /* simple */
-      ( all of ($s*) and 1 of ($e*) ) or
+      ( 3 of ($s*) and 1 of ($e*) ) or
       /* casing anomalies */
       $p1 and not 1 of ($pf*)
 }