Et rule 2013278 - Magic-SigExplorer

""ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED""

SID: 2013278

Revision: 1

Class Type: shellcode-detect

Metadata: created_at 2011_07_14, tag possible_exploitation, updated_at 2011_07_14, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"

Within:

PCRE:

Special Options:

nocase

source