""ET WEB_CLIENT Malicious SCF File Inbound""

SID: 2024303

Revision: 2

Class Type: attempted-user

Metadata: affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, performance_impact Moderate, signature_severity Minor, updated_at 2022_05_03

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

• Value: "[shell]"

• Value: "iconfile"

Within:

PCRE: "/^\s=\s\x5c\x5c/Rs"

Special Options:

• file_data

• nocase

• nocase

source