alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_08_28, updated_at 2016_07_01;)

Added 2017-08-07 21:09:16 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:2;)

Added 2013-04-29 13:26:51 UTC

I realize this is only a possible Metasploit java payload signature, but I figured I would submit my findings on a particular false positive that may be common. We have seen False Positives on the following Jar file from Cisco utilizing org/bouncycastle/crypto/agreement/jpake/JPAKERound1Payload.class

EnvelopeTools51?.jar https://www.virustotal.com/en/file/58d22261989faac0d7838ae1b989257547dd3a16be7ef110b348390745b700ff/analysis/

-- DanielDuBose - 2015-01-16


Topic revision: r2 - 2015-01-16 - DanielDuBose
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats