Rule History

SID: 2034183 • Source: et/open

Versions (6)

Version DetailsCurrent

Rev: 1 • Oct 13, 2021, 12:00 PM

Message:

ET ATTACK_RESPONSE Obfuscated Batch Script Inbound M1

Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated Batch Script Inbound M1"; flow:established,from_server; content:"|2c 31 25 25 27 3a 7e|"; content:"|2c 31 25 25 27 3a 7e|"; distance:0; pcre:"/[-\d]{1,4}(?:\x2c\x31\x25\x25\x27\x3a\x7e[-\d]{1,4}){10}/R"; reference:md5,abd0a49fda67547639eeaced7955a01a; classtype:misc-attack; sid:2034183; rev:1; metadata:created_at 2021_10_13, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_10_13, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)

Created:

Oct 13, 2021, 12:00 PM

Updated:

Oct 13, 2021, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Sep 8, 2025, 9:34 PM

Filename:

rules/emerging-attack_response.rules