Et rule 2044136 - Magic-SigExplorer

""ET INFO Possible SMTP Data Exfiltration - File Attachment Named Files.zip""

SID: 2044136

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Any, attack_target Client_Endpoint, created_at 2023_02_06, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Informational, updated_at 2023_02_06

Reference:

md5
1d9be2dfd54bf4a986c6cd1b7b630750

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: 587

Flow: established,to_server

Contents:

Value: "Content-Type|3a 20|application/x-zip-compressed|3b 0d 0a|"
Value: "name|3d 22|Files.zip|22 0d 0a|"
Value: "Content-Transfer-Encoding|3a 20|base64|0d 0a|"
Value: "Content-Disposition|3a 20|attachment|3b 0d 0a|"
Value: "filename|3d 22|Files.zip|22 0d 0a 0d 0a|"

Within:

PCRE:

Special Options:

fast_pattern

source