alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:"/~"; http_uri; depth:2; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/W"; http_header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; http_request_line; content:".exe HTTP/1."; fast_pattern; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:4; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, malware_family MalDocGeneric?, performance_impact Low, signature_severity Major, tag MalDoc?, updated_at 2020_03_05;)

Added 2020-08-05 19:12:18 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:"/~"; http_uri; depth:2; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/W"; http_header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; http_request_line; content:".exe HTTP/1."; fast_pattern; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:4; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc?, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric?, performance_impact Low, updated_at 2020_03_05;)

Added 2020-03-05 19:36:42 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; content:"/~"; http_uri; depth:2; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:3; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc?, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric?, performance_impact Low, updated_at 2019_10_07;)

Added 2019-10-08 19:34:38 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"/~"; http_uri; depth:2; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:2; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc?, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric?, performance_impact Low, updated_at 2016_07_01;)

Added 2017-08-07 21:17:57 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"/~"; http_uri; depth:2; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:2;)

Added 2016-07-01 18:22:31 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"/~"; http_uri; depth:2; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:2;)

Added 2016-07-01 18:21:17 UTC


Topic revision: r1 - 2020-08-05 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats