Et rule 2026934 - Magic-SigExplorer

""ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXR) in DNS TXT Reponse""

SID: 2026934

Revision: 4

Class Type: bad-unknown

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, malware_family DNSlivery, signature_severity Major, updated_at 2023_01_24

Reference:

Link

Protocol: udp

Source Network: any

Source Port: 53

Destination Network: $HOME_NET

Destination Port: any

Flow:

Contents:

Value: !"v=DKIM"
Value: "|00 00 10 00 01 c0 0c 00 10 00 01|"
Value: "dm9rZS1XbWlNZXR"

Within:

PCRE:

Special Options:

fast_pattern

source