alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Encoded Wide PowerShell? (IEX) in Certificate Inbound"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"-----BEGIN|20|CERTIFICATE-----|0d 0a|YVFCb"; depth:40; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-2725-exploited-and-certificate-files-used-for-obfuscation-to-deliver-monero-miner/; classtype:trojan-activity; sid:2027462; rev:1; metadata:deployment Perimeter, signature_severity Major, created_at 2019_06_12, performance_impact Low, updated_at 2019_06_12;)

Added 2019-06-12 18:57:33 UTC


Topic revision: r1 - 2019-06-12 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats