alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NCSC XAgent Beacon"; flow:established,to_server; content:"HTTP/1.1|0d 0a|Accept|3a|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*"; content:!"Host|3a| yandex.ru"; pcre:"/^(?:GET|POST)\/(?:watch|search|find|results|open|search|close)\/\?(?:text=|from=|aq=|ai=|ags=|oe=|btnG=|oprnd=|utm=|channel=|itwm=)/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:trojan-activity; sid:2026437; rev:1; metadata:created_at 2018_10_04, updated_at 2018_10_04;)

Added 2018-10-04 17:21:48 UTC


Topic revision: r1 - 2018-10-04 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats