@trailofbits/vsix-audit 0.1.0

package/zoo/signatures/yara/multi_stage_attacks.yar

@@ -0,0 +1,331 @@
+/*
+    Multi-Stage Attack Pattern Detection
+    Detects attack chains that combine multiple stages (download->write->execute, etc.)
+*/
+
+rule LOADER_JS_Download_Write_Execute_Jan25 {
+  meta:
+    description = "Detects dropper pattern that downloads content, writes to temp directory, and executes"
+    severity    = "critical"
+    score       = 90
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Download stage
+    $dl1 = "fetch(" ascii wide
+    $dl2 = "axios.get" ascii wide
+    $dl3 = "https.get" ascii wide
+    $dl4 = "http.get" ascii wide
+    $dl5 = "request(" ascii wide
+    $dl6 = "got(" ascii wide
+
+    // Write stage
+    $write1 = "writeFileSync" ascii wide
+    $write2 = "writeFile" ascii wide
+    $write3 = "createWriteStream" ascii wide
+
+    // Execute stage
+    $exec1 = "child_process" ascii wide
+    $exec2 = ".exec(" ascii wide
+    $exec3 = ".spawn(" ascii wide
+    $exec4 = "execSync" ascii wide
+    $exec5 = "spawnSync" ascii wide
+
+    // Temp/hidden location indicators (require these for dropper pattern)
+    $temp1 = "/tmp/" ascii wide
+    $temp2 = "\\Temp\\" ascii wide
+    $temp3 = "os.tmpdir" ascii wide
+    $temp4 = "TEMP" ascii wide
+
+    // Base64 decode before write (payload decoding)
+    $decode1 = "atob(" ascii wide
+    $decode2 = "Buffer.from" ascii wide
+    $decode3 = "base64" ascii wide nocase
+
+    // Make executable before exec (chmod)
+    $chmod1 = "chmodSync" ascii wide
+    $chmod2 = "fs.chmod" ascii wide
+    $chmod3 = "chmod(" ascii wide
+
+    // Hidden file indicators (require 4+ bytes for good YARA atoms)
+    $hidden1 = "/tmp/." ascii wide  // Unix hidden files in /tmp
+    $hidden2 = "\\AppData\\Local\\Temp\\." ascii wide  // Windows hidden files in temp
+
+  condition:
+    // Require all three stages PLUS dropper indicator
+    any of ($dl*) and any of ($write*) and any of ($exec*) and
+    (
+      any of ($temp*) or  // Writing to temp directory
+      any of ($decode*) or  // Decoding payload before write
+      any of ($chmod*) or  // Making file executable
+      any of ($hidden*)  // Writing to hidden location
+    )
+}
+
+rule RAT_JS_Reverse_Shell_Jan25 {
+  meta:
+    description = "Detects reverse shell pattern where network socket is piped to shell for remote command execution"
+    severity    = "high"
+    score       = 85
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Network socket creation (raw TCP, not HTTP)
+    $net1 = "net.Socket" ascii wide
+    $net2 = "net.connect" ascii wide
+    $net3 = "net.createConnection" ascii wide
+    $net4 = "socket.connect" ascii wide
+
+    // Shell execution (specific paths, not just "child_process")
+    $shell1 = "/bin/sh" ascii wide
+    $shell2 = "/bin/bash" ascii wide
+    $shell3 = "/bin/zsh" ascii wide
+    $shell4 = "cmd.exe" ascii wide
+    $shell5 = "powershell.exe" ascii wide nocase
+
+    // Piping stdin/stdout (require both for reverse shell)
+    $pipe_stdin  = "stdin" ascii wide
+    $pipe_stdout = "stdout" ascii wide
+    $pipe_method = ".pipe(" ascii wide
+
+    // Spawn with shell option (classic reverse shell pattern)
+    $spawn_shell = /spawn\s*\([^)]*shell\s*:\s*true/i ascii wide
+
+  condition:
+    // Classic reverse shell: socket + shell path + stdin/stdout piping
+    (any of ($net*) and any of ($shell*) and $pipe_stdin and $pipe_stdout) or
+    // Or: socket + shell path + pipe method
+    (any of ($net*) and any of ($shell*) and $pipe_method) or
+    // Or: spawn with shell option + socket
+    ($spawn_shell and any of ($net*))
+}
+
+rule STEALER_JS_Keylogger_Jan25 {
+  meta:
+    description = "Detects keylogger pattern that captures keyboard or clipboard input and exfiltrates data"
+    severity    = "high"
+    score       = 85
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // High-confidence capture patterns (actual keylogging, not text document events)
+    $capture_key1 = "keydown" ascii wide
+    $capture_key2 = "keypress" ascii wide
+    $capture_key3 = "keyup" ascii wide
+    $capture_clip = "clipboard.readText" ascii wide
+
+    // Low-confidence capture (VS Code API - needs additional indicators)
+    $capture_vsc = "onDidChangeTextDocument" ascii wide
+
+    // Storage with suspicious naming
+    $store_suspicious1 = "keylog" ascii wide nocase
+    $store_suspicious2 = "keystroke" ascii wide nocase
+    $store_suspicious3 = "inputBuffer" ascii wide
+    $store_suspicious4 = "capturedKeys" ascii wide
+
+    // Generic storage (needs other indicators)
+    $store_generic1 = "globalState" ascii wide
+    $store_generic2 = "appendFile" ascii wide
+
+    // High-confidence exfil (known bad destinations)
+    $exfil_discord  = "discord.com/api/webhooks" ascii wide
+    $exfil_telegram = "api.telegram.org" ascii wide
+
+    // Generic exfil (needs other indicators)
+    $exfil_generic1 = "axios.post" ascii wide
+    $exfil_generic2 = ".post(" ascii wide
+
+  condition:
+    // High confidence: keyboard events + storage + exfil
+    (any of ($capture_key*) and any of ($store_suspicious*, $store_generic*) and any of ($exfil_discord, $exfil_telegram, $exfil_generic*)) or
+    // High confidence: clipboard read + known bad destination
+    ($capture_clip and any of ($exfil_discord, $exfil_telegram)) or
+    // Medium confidence: VS Code API + suspicious storage names + exfil
+    ($capture_vsc and any of ($store_suspicious*) and any of ($exfil_discord, $exfil_telegram, $exfil_generic*))
+}
+
+rule RAT_JS_Persistence_Startup_Jan25 {
+  meta:
+    description = "Detects persistence mechanism that modifies startup files, registry keys, or scheduled tasks"
+    severity    = "high"
+    score       = 80
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Unix startup file paths (require path context, not just filename)
+    $unix_path1 = /\$HOME\/\.bashrc/ ascii wide
+    $unix_path2 = /\$HOME\/\.zshrc/ ascii wide
+    $unix_path3 = /\$HOME\/\.profile/ ascii wide
+    $unix_path4 = /\$HOME\/\.bash_profile/ ascii wide
+    $unix_path5 = "process.env.HOME" ascii wide
+    $unix_path6 = "os.homedir()" ascii wide
+
+    // macOS Launch services (specific paths)
+    $mac1 = "/Library/LaunchAgents" ascii wide
+    $mac2 = "/Library/LaunchDaemons" ascii wide
+    $mac3 = "~/Library/LaunchAgents" ascii wide
+
+    // Crontab manipulation (require command)
+    $cron1 = "crontab -" ascii wide
+    $cron2 = /crontab\s+(--|-e|-l|-r)/ ascii wide
+
+    // Windows registry persistence (require full path)
+    $win_reg1 = "CurrentVersion\\Run" ascii wide
+    $win_reg2 = "CurrentVersion\\RunOnce" ascii wide
+    $win_reg3 = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide nocase
+    $win_reg4 = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide nocase
+
+    // Windows scheduled tasks (require schtasks command)
+    $win_sched1 = /schtasks\s+\/create/i ascii wide
+    $win_sched2 = /schtasks\s+\/change/i ascii wide
+
+    // Write operations with shell config context
+    $write_shell = /write(File|FileSync)\s*\([^)]*\.(bashrc|zshrc|profile|bash_profile)/ ascii wide
+
+  condition:
+    // Unix: home path + shell config reference
+    ((any of ($unix_path*)) and any of ($unix_path1, $unix_path2, $unix_path3, $unix_path4)) or
+    // macOS Launch services
+    any of ($mac*) or
+    // Crontab commands
+    any of ($cron*) or
+    // Windows registry persistence paths
+    any of ($win_reg*) or
+    // Windows scheduled task creation
+    any of ($win_sched*) or
+    // Direct write to shell config
+    $write_shell
+}
+
+rule MAL_JS_Self_Propagation_Publish_Jan25 {
+  meta:
+    description = "Detects self-propagation worm pattern that accesses publish tokens and runs publish commands"
+    severity    = "critical"
+    score       = 95
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Credential access
+    $cred1 = ".npmrc" ascii wide
+    $cred2 = "NPM_TOKEN" ascii wide
+    $cred3 = "OPENVSX_TOKEN" ascii wide
+    $cred4 = "VSCE_PAT" ascii wide
+
+    // Publish commands
+    $pub1 = "npm publish" ascii wide
+    $pub2 = "vsce publish" ascii wide
+    $pub3 = "ovsx publish" ascii wide
+    $pub4 = "yarn publish" ascii wide
+
+  condition:
+    any of ($cred*) and any of ($pub*)
+}
+
+rule MAL_JS_Supply_Chain_Install_Jan25 {
+  meta:
+    description = "Detects supply chain attack that runs malicious commands during npm package lifecycle hooks"
+    severity    = "high"
+    score       = 85
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Lifecycle script indicators (in package.json context)
+    $script1 = "preinstall" ascii wide
+    $script2 = "postinstall" ascii wide
+    $script3 = "prepublish" ascii wide
+
+    // System info gathering
+    $sys1 = "os.homedir" ascii wide
+    $sys2 = "os.userInfo" ascii wide
+    $sys3 = "os.hostname" ascii wide
+    $sys4 = "process.env.HOME" ascii wide
+    $sys5 = "process.env.USER" ascii wide
+
+    // Network beacon
+    $net1 = "fetch(" ascii wide
+    $net2 = "axios" ascii wide
+    $net3 = "https.request" ascii wide
+
+  condition:
+    any of ($script*) and any of ($sys*) and any of ($net*)
+}
+
+rule STEALER_JS_Crypto_Wallet_Jan25 {
+  meta:
+    description = "Detects cryptocurrency stealer that accesses wallet directories, keys, or seed phrases and exfiltrates"
+    severity    = "high"
+    score       = 85
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Wallet directory paths (more specific than just wallet names)
+    $wallet_path1 = ".config/solana" ascii wide
+    $wallet_path2 = "AppData\\Roaming\\Ethereum" ascii wide
+    $wallet_path3 = "AppData\\Local\\Exodus" ascii wide
+    $wallet_path4 = "AppData\\Local\\Phantom" ascii wide
+    $wallet_path5 = "Library/Application Support/Exodus" ascii wide
+    $wallet_path6 = ".ethereum/keystore" ascii wide
+    $wallet_path7 = "wallet.dat" ascii wide
+
+    // Browser extension wallet paths
+    $ext_metamask = "nkbihfbeogaeaoehlefnkodbefgpgknn" ascii wide  // MetaMask extension ID
+    $ext_phantom  = "bfnaelmomeimhlpmgjnjophhpkkoljpa" ascii wide  // Phantom extension ID
+
+    // Seed phrase / key extraction patterns (specific to crypto)
+    $key_mnemonic   = "mnemonic" ascii wide nocase
+    $key_seedphrase = "seedPhrase" ascii wide
+    $key_privatekey = "privateKey" ascii wide
+    $key_secretkey  = "secretKey" ascii wide
+
+    // File read patterns targeting wallet files
+    $read_wallet   = /readFile[^)]*wallet/i ascii wide
+    $read_keystore = /readFile[^)]*keystore/i ascii wide
+
+    // High-confidence exfil (known bad destinations)
+    $exfil_discord  = "discord.com/api/webhooks" ascii wide
+    $exfil_telegram = "api.telegram.org" ascii wide
+
+  condition:
+    // Wallet paths + seed/key extraction
+    (any of ($wallet_path*, $ext_*) and any of ($key_*)) or
+    // Wallet file reads + known bad exfil
+    (any of ($read_wallet, $read_keystore) and any of ($exfil_discord, $exfil_telegram)) or
+    // Wallet paths + known bad exfil
+    (any of ($wallet_path*, $ext_*) and any of ($exfil_discord, $exfil_telegram))
+}
+
+rule MAL_JS_GlassWorm_Extension_Modification_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style attack that modifies other VS Code extensions to inject malicious code"
+    severity    = "critical"
+    score       = 95
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Extension paths
+    $path1 = ".vscode/extensions" ascii wide
+    $path2 = ".vscode-server/extensions" ascii wide
+    $path3 = "extensions/" ascii wide
+
+    // File modification
+    $mod1 = "writeFileSync" ascii wide
+    $mod2 = "writeFile" ascii wide
+
+    // Extension files
+    $file1 = "extension.js" ascii wide
+    $file2 = "package.json" ascii wide
+    $file3 = ".vsix" ascii wide
+
+  condition:
+    any of ($path*) and any of ($mod*) and any of ($file*)
+}

package/zoo/signatures/yara/obfuscation_patterns.yar

@@ -0,0 +1,208 @@
+/*
+    JavaScript Obfuscation Pattern Detection
+    Detects common obfuscation techniques used to hide malicious code
+*/
+
+rule SUSP_JS_Obfuscator_Hex_Vars_Jan25 {
+  meta:
+    description = "Detects javascript-obfuscator tool signature with _0x prefixed hexadecimal variable names"
+    severity    = "high"
+    score       = 80
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // _0x followed by 4+ hex chars - signature of javascript-obfuscator
+    $hex_var = /_0x[a-fA-F0-9]{4,}/ ascii wide
+
+  condition:
+    #hex_var >= 5
+}
+
+rule SUSP_JS_FromCharCode_Chain_Jan25 {
+  meta:
+    description = "Detects String.fromCharCode with many arguments used to hide string content from static analysis"
+    severity    = "high"
+    score       = 75
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // fromCharCode with 5+ comma-separated numbers
+    $charcode = /String\.fromCharCode\s*\(\s*(\d+\s*,\s*){5,}/ ascii wide
+
+  condition:
+    $charcode
+}
+
+rule SUSP_JS_Hex_Escape_Chain_Jan25 {
+  meta:
+    description = "Detects 10+ consecutive hex escape sequences (\\xNN) indicating obfuscated string content"
+    severity    = "medium"
+    score       = 60
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Consecutive hex escape pairs - provides 8-byte atoms for Aho-Corasick
+    // Each matches 2 consecutive \xNN patterns, requiring 5+ matches = 10+ escapes
+    $h1 = /\\x[0-9a-fA-F]{2}\\x[0-9a-fA-F]{2}/ ascii wide
+
+  condition:
+    #h1 >= 5
+}
+
+rule SUSP_JS_Decimal_Byte_Array_Jan25 {
+  meta:
+    description = "Detects large array of 20+ decimal byte values likely containing encoded payload data"
+    severity    = "medium"
+    score       = 55
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Comma-separated number patterns (4-byte atoms)
+    // Matches ", NN," patterns - 20+ of these indicates byte array
+    $num = /,\s?\d{1,3},/ ascii wide
+
+    // Array opener with number
+    $arr_open = /\[\d{1,3},/ ascii wide
+
+  condition:
+    $arr_open and #num >= 19
+}
+
+rule SUSP_JS_Bracket_Notation_Chain_Jan25 {
+  meta:
+    description = "Detects long bracket notation property chains used to hide method calls from static analysis"
+    severity    = "medium"
+    score       = 65
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // 4+ consecutive bracket notation accesses
+    $bracket_chain = /\[\s*['"][a-zA-Z]+['"]\s*\](\s*\[\s*['"][a-zA-Z]+['"]\s*\]){3,}/ ascii wide
+
+  condition:
+    $bracket_chain
+}
+
+rule SUSP_JS_String_Array_Rotation_Jan25 {
+  meta:
+    description = "Detects javascript-obfuscator string table pattern with large array and hex variable names"
+    severity    = "medium"
+    score       = 55
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Literal anchors for string array separators (4-byte atoms)
+    $sep1 = "','" ascii wide
+    $sep2 = "\",\"" ascii wide
+    $sep3 = "', '" ascii wide
+    $sep4 = "\", \"" ascii wide
+
+    // Array assignment patterns
+    $arr1 = "=['" ascii wide
+    $arr2 = "=[\"" ascii wide
+    $arr3 = "= ['" ascii wide
+    $arr4 = "= [\"" ascii wide
+
+    // javascript-obfuscator hex variable (bounded to reduce backtracking)
+    $obf_hex_var = /_0x[a-fA-F0-9]{4,8}/ ascii wide
+
+  condition:
+    // Require separators + array assignment + multiple hex vars
+    (2 of ($sep*)) and (1 of ($arr*)) and #obf_hex_var >= 3
+}
+
+rule SUSP_JS_Obfuscation_Eval_Jan25 {
+  meta:
+    description = "Detects obfuscation patterns like hex vars or fromCharCode combined with eval execution"
+    severity    = "critical"
+    score       = 95
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Obfuscation indicators
+    $obf1 = /_0x[a-fA-F0-9]{4,}/ ascii wide
+    $obf2 = /\\x[a-fA-F0-9]{2}/ ascii wide
+    $obf3 = "String.fromCharCode" ascii wide
+
+    // Eval patterns
+    $eval1 = "eval(" ascii wide
+    $eval2 = "new Function(" ascii wide
+
+  condition:
+    any of ($obf*) and any of ($eval*)
+}
+
+rule SUSP_JS_Packer_Dean_Edwards_Jan25 {
+  meta:
+    description = "Detects Dean Edwards style JavaScript packer using eval(function(p,a,c,k,e pattern"
+    severity    = "high"
+    score       = 85
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Common packer patterns
+    $packer1 = "eval(function(p,a,c,k,e," ascii wide
+    $packer2 = /}\s*\(\s*['"][^'"]{100,}['"]/ ascii wide
+    $packer3 = ".split('|')" ascii wide
+
+  condition:
+    $packer1 or ($packer2 and $packer3)
+}
+
+rule SUSP_JS_JJEncode_Jan25 {
+  meta:
+    description = "Detects JJEncode JavaScript obfuscation using $=~[] and $$$ patterns to hide code"
+    severity    = "high"
+    score       = 90
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $jj1 = "$=~[]" ascii wide
+    $jj2 = "_=~[]" ascii wide
+    $jj3 = "$$$$" ascii wide
+
+  condition:
+    // Require 2+ patterns to avoid FPs on bundled code with isolated patterns
+    2 of them
+}
+
+rule SUSP_JS_AAEncode_Jan25 {
+  meta:
+    description = "Detects AAEncode JavaScript obfuscation using emoticon-based encoding patterns"
+    severity    = "high"
+    score       = 85
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $aa1 = /\(\s*!\s*\[\s*\]\s*\+\s*""\s*\)/ ascii wide
+    $aa2 = /\[\s*\+\s*!\s*\+\s*\[\s*\]\s*\]/ ascii wide
+
+  condition:
+    #aa1 > 3 or #aa2 > 3
+}
+
+rule SUSP_JS_JSFuck_Jan25 {
+  meta:
+    description = "Detects JSFuck obfuscation encoding JavaScript using only []()!+ characters"
+    severity    = "critical"
+    score       = 95
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Long sequences of only these characters
+    $jsfuck = /[\[\]\(\)!\+]{50,}/ ascii wide
+
+  condition:
+    $jsfuck
+}

package/zoo/signatures/yara/powershell_attacks.yar

@@ -0,0 +1,116 @@
+/*
+    PowerShell Attack Detection
+    Detects malicious PowerShell patterns commonly used in VS Code extension malware
+*/
+
+rule SUSP_PS_Hidden_Window_Jan25 {
+  meta:
+    description = "Detects PowerShell execution with hidden window flag to avoid user detection"
+    severity    = "critical"
+    score       = 90
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $hidden1 = "-WindowStyle Hidden" ascii wide nocase
+    $hidden2 = "-w hidden" ascii wide nocase
+    $hidden3 = "-windowstyle h" ascii wide nocase
+
+    $ps1 = "powershell" ascii wide nocase
+    $ps2 = "pwsh" ascii wide nocase
+
+  condition:
+    any of ($ps*) and any of ($hidden*)
+}
+
+rule LOADER_PS_Download_Execute_Jan25 {
+  meta:
+    description = "Detects PowerShell download and execute cradle using IEX with Invoke-WebRequest or WebClient"
+    severity    = "critical"
+    score       = 95
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Require PowerShell context
+    $ps1 = "powershell" ascii wide nocase
+    $ps2 = "pwsh" ascii wide nocase
+
+    // Direct piped IEX patterns (most malicious pattern)
+    // These match actual PowerShell IEX cradles, not random JS with curl/iex strings
+    $iex_pipe1 = /\|\s*(iex|Invoke-Expression)/i ascii wide
+    $iex_pipe2 = /(irm|iwr|Invoke-RestMethod|Invoke-WebRequest)[^;]{0,80}\|\s*(iex|Invoke-Expression)/i ascii wide
+
+    // .NET WebClient download+execute (classic PowerShell dropper)
+    $webclient1 = "Net.WebClient" ascii wide nocase
+    $webclient2 = "DownloadString" ascii wide nocase
+    $webclient3 = "DownloadFile" ascii wide nocase
+
+    // Full form Invoke-Expression
+    $iex_full = "Invoke-Expression" ascii wide nocase
+
+  condition:
+    // Either: PowerShell context with IEX pipe patterns
+    (any of ($ps*) and any of ($iex_pipe*)) or
+    // Or: .NET WebClient patterns with Invoke-Expression (no PS context needed)
+    (any of ($webclient*) and $iex_full)
+}
+
+rule SUSP_PS_Encoded_Command_Jan25 {
+  meta:
+    description = "Detects PowerShell with base64 encoded command flag used to hide malicious payload"
+    severity    = "high"
+    score       = 85
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $enc1 = "-enc " ascii wide nocase
+    $enc2 = "-EncodedCommand" ascii wide nocase
+    $enc3 = "-ec " ascii wide nocase
+
+    $ps1 = "powershell" ascii wide nocase
+    $ps2 = "pwsh" ascii wide nocase
+
+  condition:
+    any of ($ps*) and any of ($enc*)
+}
+
+rule SUSP_PS_Bypass_Policy_Jan25 {
+  meta:
+    description = "Detects PowerShell execution policy bypass used to run unsigned or restricted scripts"
+    severity    = "high"
+    score       = 80
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $bypass1 = "-ExecutionPolicy Bypass" ascii wide nocase
+    $bypass2 = "-ep bypass" ascii wide nocase
+    $bypass3 = "-exec bypass" ascii wide nocase
+    $bypass4 = "Set-ExecutionPolicy" ascii wide nocase
+
+    $ps1 = "powershell" ascii wide nocase
+    $ps2 = "pwsh" ascii wide nocase
+
+  condition:
+    any of ($ps*) and any of ($bypass*)
+}
+
+rule SUSP_PS_AMSI_Bypass_Jan25 {
+  meta:
+    description = "Detects attempt to bypass Windows AMSI (Anti-Malware Scan Interface) for evasion"
+    severity    = "critical"
+    score       = 95
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $amsi1 = "AmsiUtils" ascii wide nocase
+    $amsi2 = "amsiInitFailed" ascii wide nocase
+    $amsi3 = "AmsiScanBuffer" ascii wide nocase
+    $amsi4 = "[Ref].Assembly.GetType" ascii wide
+
+  condition:
+    any of them
+}