alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kimsuky Operation Blue Estimate CnC? Activity"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"|22 3b 20|filename=|22|"; http_client_body; content:"_log.txt|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|0010::20"; http_client_body; fast_pattern; distance:12; within:62; metadata: former_category MALWARE; reference:url,blog.alyac.co.kr/2645; classtype:trojan-activity; sid:2029222; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Kimsuky, signature_severity Major, created_at 2020_01_02, performance_impact Low, updated_at 2020_01_02;)

Added 2020-01-02 20:45:23 UTC


Topic revision: r1 - 2020-01-03 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats