Skip to content

Instantly share code, notes, and snippets.

@atcuno

atcuno/GenericPowershell

Forked from iMHLv2/GenericPowershell
Created May 1, 2023 19:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save atcuno/133e4f193587b13d8dd571bf934eb13a to your computer and use it in GitHub Desktop.
Save atcuno/133e4f193587b13d8dd571bf934eb13a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
GenericPowershell
rule GenericPowershell
{
strings:
$a = "PS>function"
$b = "Invoke-Expression"
$c = "<MS><S N="
$d = "</MS></Obj>"
$e = "CompileAssemblyFromSource"
$f = "Remoting.RemoteHostMethodId"
$g = "<resp:Arguments"
$h = "rsp:Command"
$i = "-EncodedCommand"
condition:
any of them
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment