alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kimsuky Related CnC?"; flow:established,to_server; content:"GET"; http_method; content:".php?WORD=com_"; fast_pattern; http_uri; pcre:"/^[0-9A-F]{12,16}/UR"; content:"&NOTE="; within:6; http_uri; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/UR"; reference:url,https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; reference:md5,19f24aec5c1017d162e78863cff316fa; classtype:trojan-activity; sid:2029453; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_02_14, updated_at 2020_02_20;)

Added 2020-02-20 19:13:44 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kimsuky Related CnC?"; flow:established,to_server; content:"GET"; http_method; content:".php?WORD=com_"; http_uri; pcre:"/^[0-9A-F]{16}/UR"; content:"&NOTE="; within:6; http_uri; content:",gzip(gfe),gzip(gfe)"; http_user_agent; fast_pattern; isdataat:!1,relative; reference:url,https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; reference:md5,19f24aec5c1017d162e78863cff316fa; classtype:trojan-activity; sid:2029453; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_02_14, updated_at 2020_02_14;)

Added 2020-02-14 20:12:23 UTC


Topic revision: r1 - 2020-02-21 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats