signature-base/yara/gen_ps1_shellcode.yar
2018-11-15 15:12:30 +01:00

15 lines
406 B
Plaintext

rule Base64_PS1_Shellcode {
meta:
description = "Detects Base64 encoded PS1 Shellcode"
author = "Nick Carr"
reference = "https://twitter.com/ItsReallyNick/status/1062601684566843392"
date = "2018-11-14"
score = 65
strings:
$substring = "AAAAYInlM"
$pattern1 = "/OiCAAAAYInlM"
$pattern2 = "/OiJAAAAYInlM"
condition:
$substring and 1 of ($p*)
}