SID: 2037745

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2022_07_12, deployment Perimeter, deployment SSLDecrypt, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_07_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation

Reference:

  • md5

  • 0842c91746d69e9c14e51425d1ceca3f

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "__cfduid=" Depth: 9

  • Value: "GET /api/v2/login HTTP/1.1"

  • Value: "code.jquery.com"

Within:

PCRE: "/^__cfduid=[A-Za-z0-9-_]{171}$/C"

Special Options:

  • http_cookie

  • fast_pattern

  • http_header

source