alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy? HTTP CnC? Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:trojan-activity; sid:2021523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy?, signature_severity Major, tag PoisonIvy?, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)

Added 2021-06-18 18:19:28 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy? HTTP CnC? Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:trojan-activity; sid:2021523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy?, signature_severity Critical, tag PoisonIvy?, updated_at 2016_07_01;)

Added 2020-08-05 19:11:28 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy? HTTP CnC? Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; metadata: former_category MALWARE; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:trojan-activity; sid:2021523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy?, signature_severity Critical, created_at 2015_07_23, malware_family PoisonIvy?, updated_at 2016_07_01;)

Added 2019-09-19 19:26:26 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy? HTTP CnC? Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:trojan-activity; sid:2021523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy?, signature_severity Critical, created_at 2015_07_23, malware_family PoisonIvy?, updated_at 2016_07_01;)

Added 2017-08-07 21:16:12 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy? HTTP CnC? Beacon"; flow:established,to_server; content:"HTTP|3a 2f 2f|"; depth:7; http_raw_uri; content:"id="; depth:3; http_cookie; content:!"Host|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^id=[0-9A-F]{12}[^\r\n]+$/C"; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern:only; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:trojan-activity; sid:2021523; rev:2;)

Added 2015-07-23 17:32:18 UTC


Topic revision: r1 - 2021-06-18 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats