[Emerging-Sigs] Revision for 2024771
Jason Williams
jwilliams at emergingthreats.net
Fri Apr 19 06:28:43 HDT 2019
Updated, thanks!
On Fri, Apr 19, 2019 at 4:58 AM Attack Detection <
attackdetectionteam at gmail.com> wrote:
> Hi, after profiling I suggest adding a forced fast_pattern.
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity]
> Possible Cobalt Strike payload"; flow:established,from_server;
> content:"200"; http_stat_code; content:"Content-Length|3a 20|";
> http_header; content:"|0d 0a|"; http_header; distance:5; within:4;
> file_data;
> content:"|fc e8 00 00 00 00 eb|"; depth:7; fast_pattern;
> metadata: former_category TROJAN;
> classtype:trojan-activity; sid:2024771; rev:1; metadata:affected_product
> Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
> deployment Perimeter, signature_severity Major, created_at 2017_09_27,
> malware_family CobaltStrike, performance_impact Low, updated_at 2019_04_19;)
>
> Best regards, John.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190419/0bc86585/attachment.html>
More information about the Emerging-sigs
mailing list