Hi,
Some experimental sigs looking for obfuscation techniques in PS1 downloads. They often start with variable $. Good examples here MintsLoader Malware Analysis: Multi-Stage Loader Used by TAG-124 and SocGholish.
Seen in LUMMA distribution too where one was a 9MB PowerShell script (SHA256 bb76c7c0bd9505daf4b91971af20915af9ef2112d664fbe1c30bd097601041f2 bb76c7c0bd9505daf4b91971af20915af9ef2112d664fbe1c30bd097601041f2 | Triage) that loads embedded (and obfuscated/encrypted) LUMMA payload into memory.
alert tcp $EXTERNAL_NET $HTTP_PORTS β $HOME_NET any (msg:βET HUNTING Possible Obfuscated PowerShell Script Download - Excessive CHARβ; flow:established,to_client; content:β$β; http_client_body; depth:1; content:β[CHARβ; http_client_body; nocase; distance:0; content:β[CHARβ; http_client_body; nocase; distance:0; content:β[CHARβ; http_client_body; nocase; distance:0; content:β[CHARβ; http_client_body; nocase; distance:0; classtype:bad-unknown; sid:134201; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS β $HOME_NET any (msg:βET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M1β; flow:established,to_client; content:β$β; http_client_body; depth:1; content:β|27|+|27|β; http_client_body; distance:0; content:β|27|+|27|β; http_client_body; distance:0; content:β|27|+|27|β; http_client_body; distance:0; content:β|27|+|27|β; http_client_body; distance:0; classtype:bad-unknown; sid:134202; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS β $HOME_NET any (msg:βET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M2β; flow:established,to_client; content:β$β; http_client_body; depth:1; content:β|27| + |27|β; http_client_body; distance:0; content:β|27| + |27|β; http_client_body; distance:0; content:β|27| + |27|β; http_client_body; distance:0; content:β|27| + |27|β; http_client_body; distance:0; classtype:bad-unknown; sid:134203; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS β $HOME_NET any (msg:βET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M3β; flow:established,to_client; content:β$β; http_client_body; depth:1; content:β|22|+|22|β; http_client_body; distance:0; content:β|22|+|22|β; http_client_body; distance:0; content:β|22|+|22|β; http_client_body; distance:0; content:β|22|+|22|β; http_client_body; distance:0; classtype:bad-unknown; sid:134204; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS β $HOME_NET any (msg:βET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M4β; flow:established,to_client; content:β$β; http_client_body; depth:1; content:β|22| + |22|β; http_client_body; distance:0; content:β|22| + |22|β; http_client_body; distance:0; content:β|22| + |22|β; http_client_body; distance:0; content:β|22| + |22|β; http_client_body; distance:0; classtype:bad-unknown; sid:134205; rev:1;)
Kind Regards,
Kevin