Et rule 2016134 - Magic-SigExplorer

""ET ATTACK_RESPONSE Obfuscated JS - URL Encoded Unescape Function Call Inbound""

SID: 2016134

Revision: 3

Class Type: misc-activity

Metadata: created_at 2012_12_30, updated_at 2022_06_10, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

Value: "%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"

Within:

PCRE:

Special Options:

file_data
nocase

source