Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1"; flow:established,to_client; file.data; content:!"|22|manifestVersion|22|"; content:!"<html"; content:"powershell"; fast_pattern; nocase; content:"|20|-e"; nocase; distance:0; pcre:"/^(?:nc)?\s*(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=)/Ri"; classtype:bad-unknown; sid:2026992; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, deployment alert_only, performance_impact Low, confidence High, signature_severity Minor, tag PowerShell, updated_at 2024_12_12, reviewed_at 2023_10_11;)