""ET TROJAN Base64 Encoded Windows Command Prompt (Outbound)""
SID: 2037018
Revision: 1
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, created_at 2022_06_16, deployment Perimeter, signature_severity Major, updated_at 2022_06_16
Reference:
-
md5
-
29b6b195cf0671901b75b7d2ac6814f6
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: any
Flow: established,to_server
Contents:
- Value: "TWljcm9zb2Z0IFdpbmRvd3MgW1ZlcnNpb24"
Within:
PCRE: "/(?:TWljcm9zb2Z0IENvcnBvcmF0aW9uL|1pY3Jvc29mdCBDb3Jwb3JhdGlvbi|NaWNyb3NvZnQgQ29ycG9yYXRpb24u)[a-zA-Z0-9\x2f\x2b]{25,35}(?:Cg0KQzpc|oNCkM6XD|KDQpDOlw\x2b)/R"
Special Options:
- fast_pattern