From 851adb6d1c05b43c61348f5ebf53036586e754c3 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 10 Dec 2020 19:07:27 +0100
Subject: [PATCH] rule: powershell loaders

---
 yara/powershell_loaders.yar | 39 +++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 yara/powershell_loaders.yar

diff --git a/yara/powershell_loaders.yar b/yara/powershell_loaders.yar
new file mode 100644
index 0000000..14680b1
--- /dev/null
+++ b/yara/powershell_loaders.yar
@@ -0,0 +1,39 @@
+rule SUSP_PowerShell_Loader_Generic {
+   meta:
+      description = "Detects different kinds of PowerShell loaders"
+      author = "Florian Roth"
+      date = "2020-12-10"
+      score = 60
+      reference = "https://app.any.run/tasks/93fa402c-c6d7-4bc6-bf88-1ec954ae7f51/"
+   strings:
+      /* catch the ones that are easy to catch */
+      $s1 = "powershell" ascii nocase
+      $s2 = "-w hidden" ascii nocase
+      $s3 = " -e" nocase
+      
+      $enc01 = " IABz"
+      $enc02 = " IABT"
+      $enc03 = " cwBl"
+      $enc04 = " cwBF"
+      $enc05 = " UwBl"
+      $enc06 = " UwBF"
+      $enc07 = " SUVYI"
+      $enc08 = " aWV4I"
+      $enc09 = " SQBFAFgA"
+      $enc10 = " aQBlAHgA"
+
+      /* catch the ones that try to hide */
+      $p1 = "powershell" nocase fullword 
+
+      /* filter valid casing */
+      $pf1 = "powershell" fullword
+      $pf2 = "Powershell" fullword 
+      $pf3 = "PowerShell" fullword
+      $pf4 = "POWERSHELL" fullword
+      $pf5 = "powerShell" fullword
+   condition:
+      /* simple */
+      ( all of ($s*) and 1 of ($e*) ) or
+      /* casing anomalies */
+      $p1 and not 1 of ($pf*)
+}