alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/admin/get.php"; fast_pattern; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/Cookie\x3a\x20SESSIONID=[A-Z0-9]{16}\r\n/"; metadata: former_category MALWARE; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:3; metadata:created_at 2015_08_12, updated_at 2019_10_07;)

Added 2019-10-08 19:34:31 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/admin/get.php"; fast_pattern:only; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/Cookie\x3a\x20SESSIONID=[A-Z0-9]{16}\r\n/"; metadata: former_category MALWARE; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:2; metadata:created_at 2015_08_12, updated_at 2015_08_12;)

Added 2019-09-26 19:58:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/admin/get.php"; fast_pattern:only; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/Cookie\x3a\x20SESSIONID=[A-Z0-9]{16}\r\n/"; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:2; metadata:created_at 2015_08_12, updated_at 2015_08_12;)

Added 2018-09-13 19:51:34 UTC


Added 2018-09-13 18:00:17 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/admin/get.php"; fast_pattern:only; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/Cookie\x3a\x20SESSIONID=[A-Z0-9]{16}\r\n/"; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:2; metadata:created_at 2015_08_12, updated_at 2015_08_12;)

Added 2017-08-07 21:16:19 UTC


Topic revision: r1 - 2019-10-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats