""ET ATTACK_RESPONSE Possibly Malicious VBS Writing to Persistence Registry Location""

SID: 2026427

Revision: 3

Class Type: bad-unknown

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_28, deployment Perimeter, deployment alert_only, performance_impact Low, signature_severity Major, tag VBS, tag Persistence, updated_at 2023_04_19

Reference:

  • md5

  • cac1aedbcb417dcba511db5caae4b8c0

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

  • Value: "200"

  • Value: "on|20|error|20|resume|20|next"

  • Value: ".regwrite|20 22|"

  • Value: "|5c|software|5c|microsoft|5c|windows|5c|currentversion|5c|run"

Within: 80

PCRE:

Special Options:

  • http_stat_code

  • file_data

  • nocase

source