Merge pull request #351 from CybercentreCanada/id_ps1_2

Improving detection for PowerShell
CybercentreCanada · Sep 7, 2021 · 94d4f3c · 94d4f3c
2 parents de1de13 + 4b16fa2
commit 94d4f3c
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/assemblyline/common/identify.py b/assemblyline/common/identify.py
@@ -122,9 +122,10 @@
         re.compile(rb'(?i)(Get-ExecutionPolicy|Get-Service|Where-Object|ConvertTo-HTML|Select-Object|Get-Process|'
                    rb'Clear-History|ForEach-Object|Clear-Content|Compare-Object|New-ItemProperty|New-Object|'
                    rb'New-WebServiceProxy|Set-Alias|Wait-Job|Get-Counter|Test-Path|Get-WinEvent|Start-Sleep|'
-                   rb'Set-Location|Get-ChildItem|Rename-Item|Stop-Process|Add-Type|Out-String|Write-Error)'),
+                   rb'Set-Location|Get-ChildItem|Rename-Item|Stop-Process|Add-Type|Out-String|Write-Error|'
+                   rb'Invoke-Expression)'),
         # Match one of the common Classes (case-insensitive)
-        re.compile(rb'(?i)(-memberDefinition|-Name|-namespace|-passthru|-command|-TypeName)'),
+        re.compile(rb'(?i)(-memberDefinition|-Name|-namespace|-passthru|-command|-TypeName|-join|-split)'),
         # Match one of the common Methods (case-insensitive)
         re.compile(rb'(?i)(\.Get(String|Field|Type|Method)|FromBase64String)\('),
         # A .NET class that is commonly used in PowerShell

diff --git a/test/test_identify.py b/test/test_identify.py
@@ -285,7 +285,7 @@ def test_constants():
         (b"<blah xmlns:blah>", ["code/xml"]),
         (b"<blahxmlns:blah>", ["code/xml"]),
         (b"<blah xmlns=blah>", ["code/xml"]),
-        # Powershell
+        # PowerShell
         (b"Get-ExecutionPolicy", ["code/ps1"]),
         (b"\nGet-ExecutionPolicy", ["code/ps1"]),
         (b"Get-Service", ["code/ps1"]),
@@ -311,10 +311,15 @@ def test_constants():
         (b"Rename-Item", ["code/ps1"]),
         (b"Stop-Process", ["code/ps1"]),
         (b"Add-Type", ["code/ps1"]),
+        (b"Out-String", ["code/ps1"]),
+        (b"Write-Error", ["code/ps1"]),
+        (b"Invoke-Expression", ["code/ps1"]),
         (b"-memberDefinition", ["code/ps1"]),
         (b"-Name", ["code/ps1"]),
         (b"-namespace", ["code/ps1"]),
         (b"-passthru", ["code/ps1"]),
+        (b"-join", ["code/ps1"]),
+        (b"-split", ["code/ps1"]),
         (b".GetString(", ["code/ps1"]),
         (b".GetField(", ["code/ps1"]),
         (b".GetType(", ["code/ps1"]),