Et rule 2034186 - Magic-SigExplorer

SID: 2034186

Revision: 2

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, deployment SSLDecrypt, malware_family CobaltStrike, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "GET|20|/image-directory/bn.ico|20|HTTP/1.1"
Value: "Accept-Language|3a 20|en-GB|3b|q=0.9,|20|*|3b|q=0.7|0d 0a|"

Within:

PCRE: "/\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nCache-Control\x3a\x20[^\r\n]+[\r\n]+$/H"

Special Options:

fast_pattern
http_header

source

""ET TROJAN FIN12 Related WEIRDLOOP/Cobalt Strike Beacon Activity (GET)""