Et rule 2037226 - Magic-SigExplorer

""ET WEB_SERVER Win32/SessionManager2 Backdoor S5WRITE Command (Inbound)""

SID: 2037226

Revision: 2

Class Type: trojan-activity

Metadata: attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, signature_severity Major, updated_at 2023_05_11, reviewed_at 2024_01_08

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_server

Contents:

Value: "SM_SESSION=S5WRITE|3b|"
Value: "SM_SESSION=S5WRITE|3b|"

Within:

PCRE:

Special Options:

http_cookie

source