alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Trickbot Data Exfiltration"; flow:established,to_server; content:"POST"; http_method; pcre:"/\.[A-F0-9]{32}\//U"; content:"Accept|3a 20|*/*"; http_header; depth:12; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b 20|Windows NT 6.1|3b|"; http_header; distance:0; content:"Host|3a 20|"; http_header; distance:0; pcre:"/^(?:(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])/RH"; content:"Connection|3a 20|close"; http_header; distance:0; content:"Content-Type|3a 20|multipart/form-data|3b| boundary="; http_header; distance:0; content:"Content-Length|3a 20|"; http_header; distance:0; content:!"Referer|3a|"; http_header; pcre:"/Content-Disposition\x3a\x20form-data\x3b\s*name=\x22(?:source|formdata|billinfo|cardinfo)\x22/Pm"; content:"=|22|billinfo|22|"; http_client_body; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2026738; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_12_19, malware_family TrickBot?, updated_at 2019_04_02;)

Added 2019-04-02 18:23:33 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Trickbot Data Exfiltration"; flow:established,to_server; content:"POST"; http_method; pcre:"/\.[A-F0-9]{32}\//U"; content:"Accept|3a 20|*/*"; http_header; depth:12; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b 20|Windows NT 6.1|3b|"; http_header; distance:0; content:"Host|3a 20|"; http_header; distance:0; pcre:"/^(?:(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])/RH"; content:"Connection|3a 20|close"; http_header; distance:0; content:"Content-Type|3a 20|multipart/form-data|3b| boundary="; http_header; distance:0; content:"Content-Length|3a 20|"; http_header; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|source|22|"; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/Content-Disposition\x3a\x20form-data\x3b\s*name=\x22(?:source|formdata|billinfo|cardinfo)\x22/Pm"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2026738; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_12_19, malware_family TrickBot?, updated_at 2018_12_19;)

Added 2018-12-19 19:18:15 UTC


Topic revision: r1 - 2019-04-02 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats