""ET CURRENT_EVENTS Inbound PowerShell Saving Base64 Decoded Payload to Temp M1 2018-11-29""

SID: 2026675

Revision: 2

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, performance_impact Low, signature_severity Major, tag PowerShell, tag Obfuscated, updated_at 2018_11_29

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

• Value: "200"

• Value: "|3a 3a|FromBase64String|28|"

• Value: "Set-Content"

• Value: "C|3a 5c|Windows|5c|Temp"

• Value: "-Encoding"

• Value: "|0a 0a 0a|"

Within:

PCRE: "/^(?P\$[a-z0-9]{1,15})\s=\s[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((?P=js)))\sSet-Content\s(?:-Path\sC:\Windows\Temp\[a-z0-9]{1,15}.[a-z0-9]{2,4}\s|-Value\s(?P=js)\s|-Encoding\s*ASCII){3}/Ri"

Special Options:

• http_stat_code

• file_data

• fast_pattern

source