Et rule 2052236 - Magic-SigExplorer

SID: 2052236

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_04_23, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_04_23

Reference:

md5
5a04d9067b8cb6bcb916b59dcf53bed3

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "GET"
Value: ".dll.xml"

Within:

PCRE: "/^User-Agent\x3a\x20[0-9a-f]{8}-(?:([0-9a-f]{4})-){3}[0-9a-f]{12}\r\n/Hm"

Special Options:

http_method
fast_pattern
http_uri

source

""ET TROJAN APT Related CR4T Dropper Activity M1 (GET)""