Merge pull request Neo23x0#113 from Neo23x0/new-rules

New rules
bboosz · Dec 10, 2020 · 8296364 · 8296364
2 parents 55cdfa0 + 851adb6
commit 8296364
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/yara/gen_ransomware_command_lines.yar b/yara/gen_ransomware_command_lines.yar
@@ -16,6 +16,8 @@ rule ransomware_command_lines
         $p_catalog      = "catalog" fullword nocase
         $p_quiet        = "-quiet" nocase
         $p_quiet2       = "/quiet" nocase
+        $p_backup1      = "backup" nocase fullword
+        $p_backup2      = "systemstatebackup" nocase fullword
         $p_recoveryenabled   = "recoveryenabled" fullword nocase
         $p_ignoreallfailures = "ignoreallfailures" fullword nocase
         $p_win32_shadowcopy = "win32_shadowcopy" fullword nocase
@@ -41,6 +43,7 @@ rule ransomware_command_lines
                 or ( $e_vssadmin and $p_resize and $p_shadowstorage)
                 or ( $e_wmic and $p_delete and $p_shadowcopy)
                 or ( $e_wbadmin and $p_delete and $p_catalog and 1 of ($p_quiet*))
+                or ( $e_wbadmin and $p_delete and ($p_backup*))
                 or ( $e_bcdedit and $p_ignoreallfailures)
                 or ( $e_bcdedit and $p_recoveryenabled)
                 or ( $e_diskshadow and $p_delete and $p_shadows)

diff --git a/yara/powershell_loaders.yar b/yara/powershell_loaders.yar
@@ -0,0 +1,39 @@
+rule SUSP_PowerShell_Loader_Generic {
+   meta:
+      description = "Detects different kinds of PowerShell loaders"
+      author = "Florian Roth"
+      date = "2020-12-10"
+      score = 60
+      reference = "https://app.any.run/tasks/93fa402c-c6d7-4bc6-bf88-1ec954ae7f51/"
+   strings:
+      /* catch the ones that are easy to catch */
+      $s1 = "powershell" ascii nocase
+      $s2 = "-w hidden" ascii nocase
+      $s3 = " -e" nocase
+      
+      $enc01 = " IABz"
+      $enc02 = " IABT"
+      $enc03 = " cwBl"
+      $enc04 = " cwBF"
+      $enc05 = " UwBl"
+      $enc06 = " UwBF"
+      $enc07 = " SUVYI"
+      $enc08 = " aWV4I"
+      $enc09 = " SQBFAFgA"
+      $enc10 = " aQBlAHgA"
+
+      /* catch the ones that try to hide */
+      $p1 = "powershell" nocase fullword 
+
+      /* filter valid casing */
+      $pf1 = "powershell" fullword
+      $pf2 = "Powershell" fullword 
+      $pf3 = "PowerShell" fullword
+      $pf4 = "POWERSHELL" fullword
+      $pf5 = "powerShell" fullword
+   condition:
+      /* simple */
+      ( all of ($s*) and 1 of ($e*) ) or
+      /* casing anomalies */
+      $p1 and not 1 of ($pf*)
+}