Rule History

SID: 2016751 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 10 • Apr 12, 2013, 12:00 PM

Message:

ET EXPLOIT_KIT RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013

Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:exploit-kit; sid:2016751; rev:10; metadata:created_at 2013_04_12, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)

Created:

Apr 12, 2013, 12:00 PM

Updated:

Jul 26, 2019, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-exploit_kit.rules