""ET TROJAN Possible PowerShell Empire Activity Outbound""

SID: 2027512

Revision: 2

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag PowerShell_Empire, tag T1086, updated_at 2019_06_24

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "GET"

  • Value: "/" Depth: 1

  • Value: "session="

  • Value: "User-Agent|3a 20|Mozilla|2f|5.0|20 28|Windows|20|NT|20|6.1"

  • Value: !"Referer|3a|"

  • Value: !"Cache"

  • Value: !"Accept"

  • Value: ".php|20|HTTP|2f|1.1|0d 0a|Cookie|3a 20|session="

Within:

PCRE: "/^session=(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ci"

Special Options:

  • http_method

  • http_uri

  • http_cookie

  • http_header

  • http_header

  • http_header

  • http_header

  • fast_pattern

source