""ET ATTACK_RESPONSE Eval Hex Obfuscated JS Inbound""
SID: 2054246
Revision: 1
Class Type: bad-unknown
Metadata: attack_target Client_and_Server, created_at 2024_07_03, deployment Perimeter, deployment Internal, performance_impact Low, signature_severity Minor, tag Obfuscated, updated_at 2024_07_03, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information
Reference:
Protocol: tcp
Source Network: any
Source Port: $HTTP_PORTS
Destination Network: [$HOME_NET,$HTTP_SERVERS]
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "text|2f|javascript"
-
Value: "eval|28|decodeURIComponent|28|escape|28|"
Within:
PCRE: "/^\x22\x27{5,20}/R"
Special Options:
- file_data