Et rule 2047155 - Magic-SigExplorer

""ET CURRENT_EVENTS Generic Credential Phish Landing Page 2023-08-09""

SID: 2047155

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2023_08_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2023_08_16

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "200"
Value: "|3c|html|20|value|3d 22|"
Value: "HNwYW4gY2xhc3M9Im5vcGUi"
Value: "HNwYW4gY2xhc3M9Im5vcGUi"
Value: "HNwYW4gY2xhc3M9Im5vcGUi"
Value: "HNwYW4gY2xhc3M9Im5vcGUi"
Value: "HNwYW4gY2xhc3M9Im5vcGUi"
Value: "|22 3e 3c|script"
Value: "data|3a|text|2f|javascript|3b|base64|2c|ZG9jdW1lbnQud3JpdGUoZGVjb2RlVVJJQ29tcG9uZW50KGVzY2FwZShhdG9iKGRvY3VtZW50LnF1ZXJ5U2VsZWN0b3IoImh0bWwiKS5nZXRBdHRyaWJ1dGUoInZhbHVlIikpKSkpO25veD0i"

Within:

PCRE:

Special Options:

http_stat_code
file_data

source