""ET TROJAN Suspected PULSECHECK Webshell Access Inbound""
SID: 2032786
Revision: 3
Class Type: attempted-admin
Metadata: attack_target Server, created_at 2021_04_20, deployment Perimeter, deployment Internal, deployment SSLDecrypt, signature_severity Major, updated_at 2021_05_05
Reference:
Protocol: tcp
Source Network: any
Source Port: any
Destination Network: [$HOME_NET,$HTTP_SERVERS]
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "POST"
-
Value: "x_cmd|3a 20|"
-
Value: "x_key|3a 20|"
-
Value: "x_cnt|3a 20|"
Within:
PCRE: "/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/R"
Special Options:
-
http_method
-
http_header
-
fast_pattern
-
http_header
-
nocase
-
http_header
-
nocase