rule M_Hunting_Windows_Powershell_HTTPHeaderParsing_1 {
	meta:
		author = "Mandiant"
		description = "Finds powershell 1-liners typically used in webshells to decode an HTTP header variable and use it as a command"
	strings:
		$httpParser1 = /getstring\(convert\.frombase64string\(([\w\d_]+)?\(request\.headers\.get\(['"][\w\d_]+['"]/ ascii wide nocase
	condition:
		filesize < 2MB and all of them
}