Commit f01da293b1e9d1789327a70f31985ed0cf4dd60c
1 parent
49b8af64
olevba: added suspicious strings for PowerShell.exe options
Showing
1 changed file
with
4 additions
and
1 deletions
oletools/olevba.py
| @@ -152,6 +152,7 @@ https://github.com/unixfreak0037/officeparser | @@ -152,6 +152,7 @@ https://github.com/unixfreak0037/officeparser | ||
| 152 | # 2015-09-16 PL: - join long VBA lines ending with underscore before scan | 152 | # 2015-09-16 PL: - join long VBA lines ending with underscore before scan |
| 153 | # - disabled unused option --each | 153 | # - disabled unused option --each |
| 154 | # 2015-09-22 v0.41 PL: - added new option --reveal | 154 | # 2015-09-22 v0.41 PL: - added new option --reveal |
| 155 | +# - added suspicious strings for PowerShell.exe options | ||
| 155 | 156 | ||
| 156 | __version__ = '0.41' | 157 | __version__ = '0.41' |
| 157 | 158 | ||
| @@ -314,7 +315,9 @@ SUSPICIOUS_KEYWORDS = { | @@ -314,7 +315,9 @@ SUSPICIOUS_KEYWORDS = { | ||
| 314 | #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 | 315 | #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 |
| 315 | 'May run PowerShell commands': | 316 | 'May run PowerShell commands': |
| 316 | #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ | 317 | #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ |
| 317 | - ('PowerShell', ), | 318 | + #also: https://bitbucket.org/decalage/oletools/issues/14/olevba-library-update-ioc |
| 319 | + #TODO: add support for keywords starting with a non-alpha character, such as "-noexit" | ||
| 320 | + ('PowerShell', 'noexit', 'ExecutionPolicy', 'noprofile'), | ||
| 318 | 'May hide the application': | 321 | 'May hide the application': |
| 319 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), | 322 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), |
| 320 | 'May create a directory': | 323 | 'May create a directory': |