SIGS: ET HUNTING Possible Obfuscated PowerShell Script Download

Rule Signatures
1

Hi,

Some experimental sigs looking for obfuscation techniques in PS1 downloads. They often start with variable $. Good examples here MintsLoader Malware Analysis: Multi-Stage Loader Used by TAG-124 and SocGholish.

Seen in LUMMA distribution too where one was a 9MB PowerShell script (SHA256 bb76c7c0bd9505daf4b91971af20915af9ef2112d664fbe1c30bd097601041f2  bb76c7c0bd9505daf4b91971af20915af9ef2112d664fbe1c30bd097601041f2 | Triage) that loads embedded (and obfuscated/encrypted) LUMMA payload into memory.

alert tcp $EXTERNAL_NET $HTTP_PORTS β†’ $HOME_NET any (msg:β€œET HUNTING Possible Obfuscated PowerShell Script Download - Excessive CHAR”; flow:established,to_client; content:β€œ$”; http_client_body; depth:1; content:β€œ[CHAR”; http_client_body; nocase; distance:0; content:β€œ[CHAR”; http_client_body; nocase; distance:0; content:β€œ[CHAR”; http_client_body; nocase; distance:0; content:β€œ[CHAR”; http_client_body; nocase; distance:0; classtype:bad-unknown; sid:134201; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS β†’ $HOME_NET any (msg:β€œET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M1”; flow:established,to_client; content:β€œ$”; http_client_body; depth:1; content:β€œ|27|+|27|”; http_client_body; distance:0; content:β€œ|27|+|27|”; http_client_body; distance:0; content:β€œ|27|+|27|”; http_client_body; distance:0; content:β€œ|27|+|27|”; http_client_body; distance:0; classtype:bad-unknown; sid:134202; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS β†’ $HOME_NET any (msg:β€œET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M2”; flow:established,to_client; content:β€œ$”; http_client_body; depth:1; content:β€œ|27| + |27|”; http_client_body; distance:0; content:β€œ|27| + |27|”; http_client_body; distance:0; content:β€œ|27| + |27|”; http_client_body; distance:0; content:β€œ|27| + |27|”; http_client_body; distance:0; classtype:bad-unknown; sid:134203; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS β†’ $HOME_NET any (msg:β€œET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M3”; flow:established,to_client; content:β€œ$”; http_client_body; depth:1; content:β€œ|22|+|22|”; http_client_body; distance:0; content:β€œ|22|+|22|”; http_client_body; distance:0; content:β€œ|22|+|22|”; http_client_body; distance:0; content:β€œ|22|+|22|”; http_client_body; distance:0; classtype:bad-unknown; sid:134204; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS β†’ $HOME_NET any (msg:β€œET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M4”; flow:established,to_client; content:β€œ$”; http_client_body; depth:1; content:β€œ|22| + |22|”; http_client_body; distance:0; content:β€œ|22| + |22|”; http_client_body; distance:0; content:β€œ|22| + |22|”; http_client_body; distance:0; content:β€œ|22| + |22|”; http_client_body; distance:0; classtype:bad-unknown; sid:134205; rev:1;)

Kind Regards,
Kevin

2 Likes
2

Thanks for sharing @kevross33! I’ll take a look and get these in today’s release!

- Isaac

3

Thanks again @kevross33 !

2062457 - ET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M1
2062458 - ET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M2
2062459 - ET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M3
2062460 - ET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M4```
1 Like