""ET TROJAN W32/Badspace.Backdoor CnC Activity (POST)""
SID: 2052558
Revision: 2
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, created_at 2024_05_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2024_08_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "POST"
-
Value: "|2f|"
-
Value: "|0d 0a|User-Agent|3a 20|Mozilla|20 2f 20|"
-
Value: "MSIE|20|6|2e|0|3b 20|Windows|20|NT|20|5|2e|1|3b 20|SV1|3b|"
Within:
PCRE: "/^(?:[A-Za-z0-9\x2b\x2f\x3d]){100,}$/C"
Special Options:
-
http_method
-
http_uri
-
http_header