""ET CURRENT_EVENTS Possible Successful Websocket Credential Phish Sep 15 2017""
SID: 2025001
Revision: 2
Class Type: trojan-activity
Metadata: affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, signature_severity Critical, tag Phishing, updated_at 2017_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: to_server,established
Contents:
-
Value: "GET"
-
Value: "&transport=websocket&sid="
-
Value: "Sec-WebSocket-Version|3a 20|13|0d 0a|"
-
Value: "Sec-WebSocket-Extensions|3a 20|permessage-deflate"
-
Value: "Sec-WebSocket-Key|3a 20|"
-
Value: "connect.sid="
-
Value: "io="
-
Value: "Upgrade|3a 20|websocket"
-
Value: "origin|3a 20|"
Within:
PCRE: "/^[^\r\n]+(?:s(?:e(?:rvic|cur)e|c(?:otia|ure)|antander|ign-?in|napchat)|c(?:h(?:eck(?:out)?|a(?:in|se))|ustomer|onfirm|loud)|p(?:ay(?:pa[il]|ment)|(?:hon|ost)e|rivacy)|i(?:n(?:terac|sta)|cloud|phone|tunes)|re(?:solution|covery|fund|port|dir)|a(?:pp(?:id|le)|ccount|mazon)|n(?:otification|etflix|terac)|l(?:o(?:cked|gin)|imited)|(?:etransf|twitt|ord)er|d(?:ocusign|ropbox)|f(?:acebook|orgot)|veri(?:tas|f)|upd(?:ate|t)|yahoo|bofa|hmrc)/Ri"
Special Options:
-
http_uri
-
fast_pattern
-
http_header
-
http_header
-
http_header
-
http_cookie
-
http_cookie
-
http_header