Versions (6)
Version DetailsCurrent
Rev: 1 • Nov 18, 2021, 12:00 PMET ATTACK_RESPONSE Obfuscated VBS Inbound - Underscore Var/Chr/math
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated VBS Inbound - Underscore Var/Chr/math"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"Set|20|"; nocase; fast_pattern; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"Chr|28|"; nocase; pcre:"/^\d+(\+|\-|\\|\*)\d+/R"; classtype:bad-unknown; sid:2034499; rev:1; metadata:created_at 2021_11_18, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_18, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)
Nov 18, 2021, 12:00 PM
Nov 18, 2021, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 8, 2025, 9:34 PM
rules/emerging-attack_response.rules