DefenderYara/Exploit/Win32/Rediches/Exploit_Win32_Rediches_A.yar

rule Exploit_Win32_Rediches_A{
	meta:
		description = "Exploit:Win32/Rediches.A,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 04 00 00 "
		
	strings :
		$a_80_0 = {3c 73 64 3a 50 72 6f 63 65 73 73 53 74 61 72 74 49 6e 66 6f } //<sd:ProcessStartInfo  1
		$a_80_1 = {70 6f 77 65 72 73 68 65 6c 6c 3f 73 65 72 69 61 6c 69 7a 61 74 69 6f 6e 4c 65 76 65 6c 3d 46 75 6c 6c } //powershell?serializationLevel=Full  1
		$a_02_2 = {41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 73 00 [0-10] 2f 00 63 00 } //1
		$a_02_3 = {41 72 67 75 6d 65 6e 74 73 [0-10] 2f 63 } //1
	condition:
		((#a_80_0  & 1)*1+(#a_80_1  & 1)*1+(#a_02_2  & 1)*1+(#a_02_3  & 1)*1) >=3
 
}