valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 10:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Reduced false positives with PowerShell casing anomaly rule

Browse Source
This commit is contained in:
Florian Roth 2017-11-30 15:13:36 +01:00
parent 2f9ac3fe8f
commit f34bf9d9c8
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
yara/gen_case_anomalies.yar
View File

@ -25,6 +25,7 @@ rule PowerShell_Case_Anomaly {
$sn2 = "Powershell" fullword ascii wide $sn2 = "Powershell" fullword ascii wide
$sn3 = "PowerShell" fullword ascii wide $sn3 = "PowerShell" fullword ascii wide
$sn4 = "POWERSHELL" fullword ascii wide $sn4 = "POWERSHELL" fullword ascii wide
$sn5 = "powerShell" fullword ascii wide
// PowerShell with \x19\x00\x00 // PowerShell with \x19\x00\x00
$a1 = "wershell -e " nocase wide ascii $a1 = "wershell -e " nocase wide ascii