""ET CURRENT_EVENTS [TW] EvilProxy AiTM Set-Cookie""
SID: 2037848
Revision: 1
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, signature_severity Major, updated_at 2022_07_29
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "Server|3a 20|nginx/"
-
Value: "|0d 0a|Set-Cookie|3a 20|"
-
Value: "=|22 22 3b 20|Domain="
-
Value: "|3b 20|expires=Thu, 01 Jan 1970 00:00:00 GMT|3b 3b 20|Path=/|0d 0a|"
Within:
PCRE: "/Set-Cookie\x3a\x20[a-z0-9]{4}=\x22\x22\x3b/i"
Special Options: