alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Amadey PowerShell Loader Inbound"; flow:established,to_client; http.response_body; content:"|22|add|2d|mppreference|20 2d|exclusionpath|20 27|c|3a 5c|windows|5c|temp|27 3b 20|add|2d|mppreference|20 2d|exclusionpath|20 60 24|env|3a|windir|3b 20|add|2d|mppreference|20 2d|exclusionpath|20 60 24|env|3a|temp|3b 20|add|2d|mppreference|20 2d|exclusionpath|20 60 24|env|3a|userprofile|3b 20|add|2d|mppreference|20 2d|exclusionpath|20 60 24|env|3a|appdata|3b 20|add|2d|mppreference|20 2d|exclusionpath|20 60 24|env|3a|localappdata|3b 20|add|2d|mppreference|20 2d|exclusionipaddress|20|"; nocase; fast_pattern; content:"start|2d|sleep|20 2d|milliseconds"; nocase; distance:0; content:"|28 5b|system|2e|text|2e|encoding|5d 3a 3a|utf8|2e|getbytes"; nocase; distance:0; reference:md5,0daa773def513abb48603c947d29636b; classtype:trojan-activity; sid:2065563; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_10_29, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer; target:dest_ip;)