mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 10:05:18 +00:00
15 lines
423 B
Plaintext
15 lines
423 B
Plaintext
rule Base64_PS1_Shellcode {
|
|
meta:
|
|
description = "Detects Base64 encoded PS1 Shellcode"
|
|
author = "Nick Carr, David Ledbetter"
|
|
reference = "https://twitter.com/ItsReallyNick/status/1062601684566843392"
|
|
date = "2018-11-14"
|
|
score = 65
|
|
strings:
|
|
$substring = "AAAAYInlM"
|
|
$pattern1 = "/OiCAAAAYInlM"
|
|
$pattern2 = "/OiJAAAAYInlM"
|
|
condition:
|
|
$substring and 1 of ($p*)
|
|
}
|