Rule History

SID: 2040359 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 1 • Nov 29, 2022, 12:00 PM

Message:

ET HUNTING Microsoft Powershell Banner Output - Decimal Encoded

Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Microsoft Powershell Banner Output - Decimal Encoded"; flow:established,to_server; content:"87 105 110 100 111 119 115 32 80 111 119 101 114 83 104 101 108 108"; fast_pattern; content:"67 111 112 121 114 105 103 104 116 32 40 67 41 32 77 105 99 114 111 115 111 102 116 32 67 111 114 112 111 114 97 116 105 111 110 46 32 65 108 108 32 114 105 103 104 116 115 32 114 101 115 101 114 118 101 100 46"; distance:0; classtype:trojan-activity; sid:2040359; rev:1; metadata:attack_target Client_and_Server, created_at 2022_11_29, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_11_29;)

Created:

Nov 29, 2022, 12:00 PM

Updated:

Nov 29, 2022, 12:00 PM

DB Created:

Nov 29, 2022, 11:00 PM

DB Updated:

Aug 27, 2025, 9:35 PM

Filename:

rules/emerging-hunting.rules