alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated PowerShell Payload Inbound"; flow:established,to_client; http.response_body; content:"|20 3d 20 5b|char|5d 28|"; pcre:"/\x28(?:\d{1,5})\x20\x2dbxor\x20(?:\d{1,5})\x29/"; content:"|29 2a 28|"; content:"|29 2f 28|"; content:"|5b|char|5d 28 5b|uint16|5d 28|"; fast_pattern; content:"|5b|int|5d|"; content:"|5b|Byte|5b 5d 5d|"; reference:url,community.emergingthreats.net/t/powershell-malware-from-147-45-178-149/3139; reference:md5,30f804ba5e2bd520b2a80dcdded7031d; classtype:trojan-activity; sid:2066382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2025_12_18, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer; target:dest_ip;)