itsreallynick/installutilpayload.yar

## installutilpayload.yar
rule Hunting_InstallUtil_ProbablePayload
{
    meta:
        author = "Nick Carr - @itsreallynick"
        description = "2019-05-22 - Focusing on the underlying structure that largely cannot change outside of obfuscation"
    strings:
        $installutil = "System.Configuration.Install" nocase ascii wide
        $override_func1 = "public override string HelpText" nocase ascii wide
        $override_func2 = "public override void Uninstall" nocase ascii wide
        $override_func3 = "public override void Install" nocase ascii wide
    condition:
        $installutil and any of ($override*) and new_file
}
	rule Hunting_InstallUtil_ProbablePayload
	{
	meta:
	author = "Nick Carr - @itsreallynick"
	description = "2019-05-22 - Focusing on the underlying structure that largely cannot change outside of obfuscation"
	strings:
	$installutil = "System.Configuration.Install" nocase ascii wide
	$override_func1 = "public override string HelpText" nocase ascii wide
	$override_func2 = "public override void Uninstall" nocase ascii wide
	$override_func3 = "public override void Install" nocase ascii wide
	condition:
	$installutil and any of ($override*) and new_file
	}