alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; urilen:14; content:"POST"; http_method; content:"/admin/get.php"; fast_pattern; http_uri; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; http_user_agent; pcre:"/^SESSIONID=[A-Z0-9]{16}/C"; http_header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:4; metadata:created_at 2015_08_12, former_category MALWARE, updated_at 2020_11_05;)

Added 2020-11-05 18:35:56 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; urilen:14; content:"POST"; http_method; content:"/admin/get.php"; fast_pattern; http_uri; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; http_user_agent; pcre:"/^SESSIONID=[A-Z0-9]{16}/C"; http_header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:4; metadata:created_at 2015_08_12, former_category MALWARE, updated_at 2020_03_06;)

Added 2020-08-05 19:11:31 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; urilen:14; content:"POST"; http_method; content:"/admin/get.php"; fast_pattern; http_uri; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; http_user_agent; pcre:"/^SESSIONID=[A-Z0-9]{16}/C"; http_header_names; content:!"Referer|0d 0a|"; content:!"Accept"; metadata: former_category MALWARE; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:4; metadata:created_at 2015_08_12, updated_at 2020_03_06;)

Added 2020-03-06 18:55:21 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/admin/get.php"; fast_pattern; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/Cookie\x3a\x20SESSIONID=[A-Z0-9]{16}\r\n/"; metadata: former_category MALWARE; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:3; metadata:created_at 2015_08_12, updated_at 2019_10_07;)

Added 2019-10-08 19:34:31 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/admin/get.php"; fast_pattern:only; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/Cookie\x3a\x20SESSIONID=[A-Z0-9]{16}\r\n/"; metadata: former_category MALWARE; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:2; metadata:created_at 2015_08_12, updated_at 2015_08_12;)

Added 2019-09-26 19:58:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/admin/get.php"; fast_pattern:only; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/Cookie\x3a\x20SESSIONID=[A-Z0-9]{16}\r\n/"; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:2; metadata:created_at 2015_08_12, updated_at 2015_08_12;)

Added 2018-09-13 19:51:34 UTC


Added 2018-09-13 18:00:17 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/admin/get.php"; fast_pattern:only; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/Cookie\x3a\x20SESSIONID=[A-Z0-9]{16}\r\n/"; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:2; metadata:created_at 2015_08_12, updated_at 2015_08_12;)

Added 2017-08-07 21:16:19 UTC


Topic revision: r1 - 2020-11-05 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats