rule poweliks_injected {
	meta:
		description = "system infected with poweliks"
		in_the_wild = true
	strings:
		$s1 = "http://%s/q"
		$s2 = /(syswow64|system32)\\dllhost\.exe/ wide
		$s3 = "%1d.%1d.%04d_%1d.%1d"
		$s4 = "%x%x%x%x%x%x"
		$s5 = "builddate"
		$t1 = /windowspowershell\\[a-z0-9]{1,3}\.[a-z0-
Figure 51: POWELIKSs HTTP connections.
Figure 52: Noti
    cation for blocking suspicious software, in this case, POWELIKS.
DOING MORE WITH LESS: A STUDY OF FILELESS INFECTION ATTACKS  RIVERA & INOCENCIO
88
VIRUS BULLETIN CONFERENCE SEPTEMBER 2015
9]{1,2}\\powershell\.exe/ wide
		$t2 = "powershell.exe"
	condition:
		all of ($s*) and any of ($t*)
}