import "hash"

rule PoshC2_Sharp_Powershell_Runner {
	meta:
		description = "PoshC2 Sharp_Powershell_Runner.exe"
		sha256 = "a7fbb82f2606e3ec217d94fe83d4127e3a5a47290141875ff150243024fb2259"
	strings:
		$s1 = "Sharp_Powershell_Runner.exe" ascii fullword
		$s2 = "basepayload" ascii fullword
		$s3 = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword
		$s4 = "get_SessionStateProxy" ascii fullword
		$s5 = "  <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword
		$s6 = "get_PSVariable" ascii fullword
		$s7 = "Sharp_Powershell_Runner" ascii fullword
		$s8 = "InvokeAutomation" ascii fullword
		$s9 = "Microsoft.CodeAnalysis" ascii fullword
		$s10 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword
		$s11 = "DllBaseAddress" ascii fullword
		$s12 = "RunspaceInvoke" ascii fullword
		$s13 = "      <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" ascii fullword
		$s14 = "$o = IEX $c | Out-String" wide fullword
		$s15 = "Program" ascii fullword
		$s16 = "Encoding" ascii fullword
		$s17 = "RefSafetyRulesAttribute" ascii fullword
		$s18 = "  </trustInfo>" ascii fullword
		$s19 = "EmbeddedAttribute" ascii fullword
		$s20 = "baseAddr" ascii fullword
	condition:
		hash.sha256(0, filesize) == "a7fbb82f2606e3ec217d94fe83d4127e3a5a47290141875ff150243024fb2259" or uint16(0) == 0x5a4d and filesize < 20KB and 8 of them
}