Et rule 2027235 - Magic-SigExplorer

""ET ATTACK_RESPONSE Windows SCM DLL Hijack Command (UTF-16) Inbound via HTTP M2""

SID: 2027235

Revision: 2

Class Type: attempted-user

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_21, deployment Perimeter, performance_impact Low, signature_severity Major, tag T1038, updated_at 2019_04_22

Reference:

Link

Protocol: tcp

Source Network: any

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

Value: "200"
Value: "|00|s|00|t|00|o|00|p|00 20 00|S|00|e|00|s|00|s|00|i|00|o|00|n|00|E|00|n|00|v|00|"
Value: "|00|c|00|o|00|p|00|y|00 20 00|T|00|S|00|M|00|S|00|I|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"
Value: "|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5c 00|T|00|S|00|M|00|S|00|I|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"

Within:

PCRE:

Special Options:

http_stat_code
file_data

source