""ET WEB_CLIENT Malicious SCF File Inbound""

SID: 2024303

Revision: 2

Class Type: attempted-user

Metadata: affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, performance_impact Moderate, signature_severity Minor, updated_at 2022_05_03

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

  • Value: "[shell]"

  • Value: "iconfile"

Within:

PCRE: "/^\s=\s\x5c\x5c/Rs"

Special Options:

  • file_data

  • nocase

  • nocase

source