Et rule 2046049 - Magic-SigExplorer

""ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step1 -1 Data Exfil Request - Observed in MOVEit File Transfer - INBOUND""

SID: 2046049

Revision: 1

Class Type: attempted-admin

Metadata: attack_target Web_Server, created_at 2023_06_02, deployment Perimeter, deployment SSLDecrypt, malware_family LEMURLOOT, performance_impact Low, confidence High, signature_severity Major, tag WebShell, updated_at 2023_06_02

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: [$HOME_NET,$HTTP_SERVERS]

Destination Port: any

Flow: established,to_server

Contents:

Value: "X-siLock-Step1|3a 20|-1"
Value: "X-siLock-Comment|3a 20|"
Value: "X-siLock-Step1|3a 20|"

Within:

PCRE: "/^X-siLock-Step1\x3a\x20[^\r\n]+[\r\n]+$/Hmi"

Special Options:

http_header
nocase
http_header
http_header

source