15 lines
473 B
Text
15 lines
473 B
Text
rule Base64_PS1_Shellcode {
|
|
meta:
|
|
description = "Detects Base64 encoded PS1 Shellcode"
|
|
author = "Nick Carr, David Ledbetter"
|
|
reference = "https://twitter.com/ItsReallyNick/status/1062601684566843392"
|
|
date = "2018-11-14"
|
|
score = 65
|
|
id = "7c3cec3b-a192-5bfd-b4f1-22b1afeb717e"
|
|
strings:
|
|
$substring = "AAAAYInlM"
|
|
$pattern1 = "/OiCAAAAYInlM"
|
|
$pattern2 = "/OiJAAAAYInlM"
|
|
condition:
|
|
$substring and 1 of ($p*)
|
|
}
|