""ET TROJAN Downloader Retrieving Malicious Powershell in DNS Response""
SID: 2030315
Revision: 2
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_06_11
Reference:
Protocol: udp
Source Network: any
Source Port: 53
Destination Network: $HOME_NET
Destination Port: any
Flow:
Contents:
- Value: "|00 10 00 01|"
Offset: 2
-
Value: "-match '@(.*)@'){$str +="
-
Value: "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($matches[1]))}"
Within:
PCRE:
Special Options: