©2026 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
INDICATOR-SHELLCODE --
INDICATOR-SHELLCODE base64 x86 NOOP
The rule looks for a base64 string that translates to a number of 0x43 bytes in succession. These bytes are x86 opcodes for the command `inc ebx`. This type of opcode is commonly used in shellcode as a no-operation, commonly referred to as NOP. More than one of these in a row would be indicative of a NOP sled where an attacker is using an exploit to corrupt memory in a specific way that could potential gain execution on a victim machine.
This rule is triggered when a base64 string that is commonly used in exploits to gain execution on a host is observed.
Attacks/Scans seen in the wild
Known false positives, with the described conditions
This rule is known to commonly result in false positive alerts and must be reviewed in order to confirm an exploit attempt.
Cisco Talos
No rule groups
None
No information provided
None
Tactic: Execution
Technique: User Execution
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
©2026 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.