Versions (3)
Version DetailsCurrent
Rev: 2 • Nov 5, 2014, 12:00 PMET DELETED Possible Malicious Attachment With Double Extension Ending In EXE
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Malicious Attachment With Double Extension Ending In EXE"; flow:established,to_client; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; nocase; http_header; content:".exe|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a\x20attachment\x3b\x20filename=[^\r\n]+?\.[a-z]{2,4}\.exe\r?$/Hmi"; classtype:trojan-activity; sid:2019650; rev:2; metadata:created_at 2014_11_05, signature_severity Unknown, updated_at 2019_07_26, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1036, mitre_technique_name Masquerading;)
Nov 5, 2014, 12:00 PM
Jul 26, 2019, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-deleted.rules