""ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed""
SID: 2037323
Revision: 2
Class Type: trojan-activity
Metadata: affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, malware_family Sliver, malware_family Havoc, performance_impact Low, signature_severity Major, updated_at 2024_01_03
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: any
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "|16|"
-
Value: "|0b|"
-
Value: "|31 0b 30 09 06 03 55 04 06 13 02|US|31 13 30 11 06 03 55 04 08 13 0a|California|31 12 30 10 06 03 55 04 07 13 09|Palo Alto|31 09 30 07 06 03 55 04 09 13 00 31 0d 30 0b 06 03 55 04 11 13 04|"
-
Value: "|06 03 55 04 0a 13|"
-
Value: "Cloud"
-
Value: "|06 03 55 04 03|"
-
Value: !"|2a 86 48 86 f7 0d 01 09 01|"
Within: 5
PCRE: "/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"
Special Options:
- nocase