Rule History

SID: 2066382 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 1 • Dec 18, 2025, 12:00 PM

Message:

ET ATTACK_RESPONSE Obfuscated PowerShell Payload Inbound

Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated PowerShell Payload Inbound"; flow:established,to_client; http.response_body; content:"|20 3d 20 5b|char|5d 28|"; pcre:"/\x28(?:\d{1,5})\x20\x2dbxor\x20(?:\d{1,5})\x29/"; content:"|29 2a 28|"; content:"|29 2f 28|"; content:"|5b|char|5d 28 5b|uint16|5d 28|"; fast_pattern; content:"|5b|int|5d|"; content:"|5b|Byte|5b 5d 5d|"; reference:url,community.emergingthreats.net/t/powershell-malware-from-147-45-178-149/3139; reference:md5,30f804ba5e2bd520b2a80dcdded7031d; classtype:trojan-activity; sid:2066382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2025_12_18, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer; target:dest_ip;)

Created:

Dec 18, 2025, 12:00 PM

Updated:

Dec 18, 2025, 12:00 PM

DB Created:

Dec 18, 2025, 10:34 PM

DB Updated:

Dec 19, 2025, 10:34 PM

Filename:

rules/emerging-attack_response.rules