alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, former_category MALWARE, updated_at 2020_12_10;)

Added 2020-12-11 18:27:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, former_category MALWARE, updated_at 2020_04_29;)

Added 2020-08-05 19:09:25 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; metadata: former_category MALWARE; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, updated_at 2020_04_29;)

Added 2020-04-30 19:07:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; metadata: former_category MALWARE; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, updated_at 2020_04_29;)

Added 2020-04-29 19:34:24 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; metadata: former_category MALWARE; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, updated_at 2013_11_13;)

Added 2019-09-26 19:57:30 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, updated_at 2013_11_13;)

Added 2018-09-13 19:48:00 UTC


Added 2018-09-13 17:58:11 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, updated_at 2013_11_13;)

Added 2017-08-07 21:11:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX? Checkin"; flow:to_server,established; content:"POST "; depth:5; pcre:"/^\/[A-F0-9]{24} HTTP\/1\.1/R"; content:"|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|"; within:15; pcre:"/^[A-Z]{4}/R"; content:"1|3a 20|0|0d 0a|"; fast_pattern; within:6; content:!"Referer"; distance:0; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:5;)

Added 2014-04-16 18:55:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX? Checkin"; flow:to_server,established; content:"POST "; depth:5; pcre:"/^\/[A-F0-9]{24} HTTP\/1\.1/R"; content:"|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|"; within:15; pcre:"/^[A-Z]{4}/R"; content:"1|3a 20|0|0d 0a|"; fast_pattern; within:6; content:!"Referer"; distance:0; content:!"Accept"; distance:0; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:4;)

Added 2013-11-14 17:11:12 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX? Checkin"; flow:to_server,established; content:"POST "; depth:5; pcre:"/^[A-F0-9]+? HTTP\/1\.1/R"; content:"|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|FZLK1|3a| "; within:22; fast_pattern:10,12; content:!"Referer"; distance:0; content:!"Accept"; distance:0; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:3;)

Added 2013-11-13 18:51:07 UTC


Topic revision: r1 - 2020-12-11 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats