Merge pull request #332 from CybercentreCanada/ps1_id

Adding strong indicator for ps1
CybercentreCanada · Aug 18, 2021 · 5091a61 · 5091a61
2 parents 07cb93c + e087da2
commit 5091a61
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/assemblyline/common/identify.py b/assemblyline/common/identify.py
@@ -124,7 +124,9 @@
         # Match one of the common Classes (case-insensitive)
         re.compile(rb'(?i)(-memberDefinition|-Name|-namespace|-passthru|-command|-TypeName)'),
         # Match one of the common Methods (case-insensitive)
-        re.compile(rb'(?i)(\.Get(String|Field|Type|Method)|FromBase64String)\(')
+        re.compile(rb'(?i)(\.Get(String|Field|Type|Method)|FromBase64String)\('),
+        # A .NET class that is commonly used in PowerShell
+        re.compile(rb'(?i)(System\.Net\.WebClient)'),
     ]
 }
 STRONG_SCORE = 15