Versions (3)
Version DetailsCurrent
Rev: 1 • Nov 16, 2023, 12:00 PMET HUNTING Suspected Malicious Powershell Script (Inbound)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspected Malicious Powershell Script (Inbound)"; flow:established,to_client; file.data; content:"set-strictmode -"; nocase; fast_pattern; content:"GetAssemblies"; distance:0; nocase; content:"|5b 5d 5d 24|"; distance:0; content:"GetDelegateForFunctionPointer"; distance:0; nocase; classtype:bad-unknown; sid:2049234; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_11_16, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_11_16; target:dest_ip;)
Nov 16, 2023, 12:00 PM
Nov 16, 2023, 12:00 PM
Nov 16, 2023, 11:00 PM
Aug 18, 2025, 8:35 PM
rules/emerging-hunting.rules