""ET ATTACK_RESPONSE Possible PowerShell AMSI Bypass Inbound""
SID: 2039683
Revision: 1
Class Type: misc-attack
Metadata: attack_target Client_and_Server, created_at 2022_11_04, deployment Perimeter, deployment Internal, signature_severity Minor, updated_at 2022_11_04
Reference:
Protocol: tcp
Source Network: any
Source Port: $HTTP_PORTS
Destination Network: [$HOME_NET,$HTTP_SERVERS]
Destination Port: any
Flow: from_server,established
Contents:
-
Value: "200"
-
Value: ".Assembly.GetType"
-
Value: "|7c 25 7b 5b|char|5d 5b|"
-
Value: "-replace"
-
Value: "GetField|28|"
-
Value: "SetValue|28|"
Within: 80
PCRE:
Special Options:
-
http_stat_code
-
file_data
-
nocase
-
fast_pattern
-
nocase
-
nocase
-
nocase