Merge pull request #285 from CybercentreCanada/identify_ps1

Adding better PowerShell identification
CybercentreCanada · Jul 12, 2021 · 22f8a75 · 22f8a75
2 parents 9922af6 + 4290f6b
commit 22f8a75
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/assemblyline/common/identify.py b/assemblyline/common/identify.py
@@ -123,7 +123,7 @@
         # Match one of the common Classes
         re.compile(rb'(-memberDefinition|-Name|-namespace|-passthru)'),
         # Match one of the common Methods
-        re.compile(rb'\.Get(String|Field|Type|Method)\(')
+        re.compile(rb'(\.Get(String|Field|Type|Method)|FromBase64String)\(')
     ]
 }
 STRONG_SCORE = 15

diff --git a/test/test_identify.py b/test/test_identify.py
@@ -313,6 +313,7 @@ def test_constants():
         (b".GetField(", ["code/ps1"]),
         (b".GetType(", ["code/ps1"]),
         (b".GetMethod(", ["code/ps1"]),
+        (b"FromBase64String(", ["code/ps1"]),
     ]
 )
 def test_strong_indicators(code_snippet, code_types):