alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Explorer Shell CLSID COM Object Call Method Inbound via TCP"; flow:established,from_server; content:"explorer.exe|20|"; nocase; content:"shell|3a 3a 3a 7b|"; distance:0; within:20; fast_pattern; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]\x7d/Ri"; metadata: former_category POLICY; classtype:trojan-activity; sid:2027201; rev:2; metadata:created_at 2019_04_15, updated_at 2019_04_15;)

Added 2019-04-15 19:06:46 UTC


Topic revision: r1 - 2019-04-15 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats