Common Information
| Type | Value |
|---|---|
| Value |
import "hash"
rule PoshC2_Pbind {
meta:
description = "PoshC2 - pbind.exe"
sha256 = "fc02c496d646b60fd70e2ad4be6e35b3f16aaf6c34ee47a7fb81d00cd54ab383"
strings:
$s1 = "pbind.exe" ascii fullword
$s2 = "[+] Running task in background, run get-bg to get background output." wide fullword
$s3 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword
$s4 = "ParseCommandLineArgs" ascii fullword
$s5 = "run-dll-background" wide fullword
$s6 = "[*] Only run one task in the background at a time per implant." wide fullword
$s7 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword
$s8 = "#REPLACEPBINDPIPENAME#" wide fullword
$s9 = "CreateEncryptionAlgorithm" ascii fullword
$s10 = "run-dll" wide fullword
$s11 = "run-exe Core.Program Core " wide fullword
$s12 = "$[-] Cannot read from pipe" wide fullword
$s13 = "loadmodule" wide fullword
$s14 = "[-] No output" wide fullword
$s15 = "Microsoft.CodeAnalysis" ascii fullword
$s16 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword
$s17 = "GzipCompress" ascii fullword
$s18 = "#REPLACEKEY#" wide fullword
$s19 = "Error loading modules {0}" wide fullword
$s20 = "run-exe-background" wide fullword
$s21 = "Invoke" wide fullword
condition:
hash.sha256(0, filesize) == "fc02c496d646b60fd70e2ad4be6e35b3f16aaf6c34ee47a7fb81d00cd54ab383" or uint16(0) == 0x5a4d and filesize < 40KB and 8 of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |