signature-base/yara/gen_ps1_shellcode.yar

rule Base64_PS1_Shellcode {
   meta:
      description = "Detects Base64 encoded PS1 Shellcode"
      author = "Nick Carr, David Ledbetter"
      reference = "https://twitter.com/ItsReallyNick/status/1062601684566843392"
      date = "2018-11-14"
      score = 65
   strings:
      $substring = "AAAAYInlM"
      $pattern1 = "/OiCAAAAYInlM"
      $pattern2 = "/OiJAAAAYInlM"
   condition:
      $substring and 1 of ($p*)
}
Nick's rule for Base64 encoded PS1 shellcode 2018-11-15 14:12:30 +00:00			`rule Base64_PS1_Shellcode {`
			`meta:`
			`description = "Detects Base64 encoded PS1 Shellcode"`
Added David to the authors 2018-11-15 16:25:58 +00:00			`author = "Nick Carr, David Ledbetter"`
Nick's rule for Base64 encoded PS1 shellcode 2018-11-15 14:12:30 +00:00			`reference = "https://twitter.com/ItsReallyNick/status/1062601684566843392"`
			`date = "2018-11-14"`
			`score = 65`
			`strings:`
			`$substring = "AAAAYInlM"`
			`$pattern1 = "/OiCAAAAYInlM"`
			`$pattern2 = "/OiJAAAAYInlM"`
			`condition:`
			`$substring and 1 of ($p*)`
			`}`