""ET ATTACK_RESPONSE FightAgent WebShell Response Outbound""
SID: 2046242
Revision: 1
Class Type: attempted-admin
Metadata: attack_target Client_Endpoint, created_at 2023_06_13, deployment Perimeter, confidence High, signature_severity Critical, updated_at 2023_06_13
Reference:
Protocol: tcp
Source Network: [$HOME_NET,$HTTP_SERVERS]
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "|24|malsite"
-
Value: "|24|dbname|20 3d 20 24 5f|GET|5b 27|dbname|27 5d 3b|"
-
Value: "|24|dbserver|20 3d 20 24 5f|COOKIE|5b 22|dbserver|22 5d 3b|"
-
Value: "|24|dbuser|20 3d 20 24 5f|COOKIE|5b 22|dbuser|22 5d 3b|"
-
Value: "|24|dbpass|20 3d 20 24 5f|COOKIE|5b 22|dbpass|22 5d 3b|"
-
Value: "|22|Dump|2d 24|dbname|2d 24|date|22 3b|"
Within:
PCRE:
Special Options:
-
file_data
-
fast_pattern