[Emerging-Sigs] Revision for 2024771
Attack Detection
attackdetectionteam at gmail.com
Fri Apr 19 01:57:55 HDT 2019
Hi, after profiling I suggest adding a forced fast_pattern.
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity]
Possible Cobalt Strike payload"; flow:established,from_server;
content:"200"; http_stat_code; content:"Content-Length|3a 20|";
http_header; content:"|0d 0a|"; http_header; distance:5; within:4;
file_data;
content:"|fc e8 00 00 00 00 eb|"; depth:7; fast_pattern;
metadata: former_category TROJAN;
classtype:trojan-activity; sid:2024771; rev:1; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_09_27,
malware_family CobaltStrike, performance_impact Low, updated_at 2019_04_19;)
Best regards, John.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190419/8b7fa0c8/attachment.html>
More information about the Emerging-sigs
mailing list