Skip to content

Commit

Permalink
Yara: PowerShell with PE Reflective Injection
Browse files Browse the repository at this point in the history
  • Loading branch information
@gentilkiwi
gentilkiwi committed May 15, 2015
1 parent ee4ab68 commit a36e552
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions kiwi_passwords.yar
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,4 +88,17 @@ rule lsadump
condition:
($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey
}

rule power_pe_injection
{
meta:
description = "PowerShell with PE Reflective Injection"
author = "Benjamin DELPY (gentilkiwi)"

strings:
$str_loadlib = "0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9"
condition:
$str_loadlib or $hex_loadlib
}

0 comments on commit a36e552

Please sign in to comment.