Commit f01da293b1e9d1789327a70f31985ed0cf4dd60c
1 parent
49b8af64
olevba: added suspicious strings for PowerShell.exe options
Showing
1 changed file
with
4 additions
and
1 deletions
oletools/olevba.py
| ... | ... | @@ -152,6 +152,7 @@ https://github.com/unixfreak0037/officeparser |
| 152 | 152 | # 2015-09-16 PL: - join long VBA lines ending with underscore before scan |
| 153 | 153 | # - disabled unused option --each |
| 154 | 154 | # 2015-09-22 v0.41 PL: - added new option --reveal |
| 155 | +# - added suspicious strings for PowerShell.exe options | |
| 155 | 156 | |
| 156 | 157 | __version__ = '0.41' |
| 157 | 158 | |
| ... | ... | @@ -314,7 +315,9 @@ SUSPICIOUS_KEYWORDS = { |
| 314 | 315 | #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 |
| 315 | 316 | 'May run PowerShell commands': |
| 316 | 317 | #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ |
| 317 | - ('PowerShell', ), | |
| 318 | + #also: https://bitbucket.org/decalage/oletools/issues/14/olevba-library-update-ioc | |
| 319 | + #TODO: add support for keywords starting with a non-alpha character, such as "-noexit" | |
| 320 | + ('PowerShell', 'noexit', 'ExecutionPolicy', 'noprofile'), | |
| 318 | 321 | 'May hide the application': |
| 319 | 322 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), |
| 320 | 323 | 'May create a directory': | ... | ... |