alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic Powershell Loader Using Encryption Routine Inbound"; flow:established,to_client; http.response_body; content:"|3d 20 5b|Convert|5d 3a 3a|FromBase64String"; distance:0; content:"|3d 20 5b|System|2e|Security|2e|Cryptography|2e|Aes|5d 3a 3a|Create|28 29|"; distance:0; content:"|2e|Key|20 3d 20 24|"; distance:0; content:"|2e|Padding|20 3d 20 5b|System|2e|Security|2e|Cryptography|2e|PaddingMode|5d 3a 3a|PKCS7"; fast_pattern; distance:0; content:"|2e|ReadToEnd|28 29 0d 0a 20 20 20 20 24|"; pcre:"/^[a-zA-Z0-9]{8}\x2e/R"; reference:md5,c5eec0d458b30928aa415f9058e5311c; classtype:trojan-activity; sid:2058381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_12_17, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2024_12_17, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)