""ET TROJAN Win32/Agent.WMN CnC Beacon""
SID: 2020708
Revision: 1
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel
Reference:
-
md5
-
3031604f1cf95ee4ccc339c9e4d5b92f
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "POST"
-
Value: ".php"
-
Value: "Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent" Depth: 59
-
Value: "=" Depth: 9 Offset: 4
-
Value: "=&"
Within: 2
PCRE: "/^[a-z]{4,12}=(?:[A-Za-z0-9+/]{4})*[A-Za-z0-9+/]{3}=&[a-z]{4,12}=[A-Za-z0-9+/]{4}/P"
Special Options:
-
http_method
-
http_uri
-
http_header
-
http_client_body
-
http_client_body