""ET TROJAN ASPXSPY - Manic Menagerie Variant Activity M1""
SID: 2046753
Revision: 1
Class Type: trojan-activity
Metadata: affected_product Microsoft_IIS, attack_target Web_Server, created_at 2023_07_07, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_07_07
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_server
Contents:
-
Value: "POST"
-
Value: ".aspx"
-
Value: "Backdoor="
-
Value: "Content-Disposition|3a 20|form-data|3b 20|name|3d 22 5f 5f|EVENTTARGET|22 0d 0a 0d 0a|Bin_"
-
Value: "Content-Disposition|3a 20|form-data|3b 20|name|3d 22 5f 5f|FILE|22 0d 0a 0d 0a|"
Within:
PCRE: "/Backdoor\x3d[a-f0-9]{32}/C"
Special Options:
-
http_method
-
http_uri
-
http_cookie
-
http_client_body
-
http_client_body