Versions (2)
Version DetailsCurrent
Rev: 5 • Sep 30, 2014, 12:00 PMET HUNTING Suspicious Base64 Encoded ZIP File in HTML Body (Magic Bytes)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Base64 Encoded ZIP File in HTML Body (Magic Bytes)"; flow:established,to_client; file_data; content:"data|3a|"; nocase; content:"base64,UEsDB"; within:60; fast_pattern; flowbits:set,et.exploitkitlanding; reference:url,urlscan.io/result/98d7e72b-67b8-4d7c-9735-c27525b0a550/#transactions; classtype:misc-activity; sid:2019324; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Informational, tag HTML_Smuggling, updated_at 2023_10_06, reviewed_at 2023_08_28, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information; target:src_ip;)
Sep 30, 2014, 12:00 PM
Oct 6, 2023, 12:00 PM
Sep 30, 2014, 12:00 PM
May 31, 2024, 9:00 PM
rules/emerging-hunting.rules