Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 21 May"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_dispatch.php"; fast_pattern; endswith; http.header; content:"|0d 0a|x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http.request_body; pcre:"/^[0-9a-zA-Z=%-]{0,48}(?:%[A-F0-9]{2}){4}/si"; http.content_type; content:"www-form-urlencoded"; endswith; reference:md5,6f8987e28fed878d08858a943e7c6e7c; classtype:command-and-control; sid:2022952; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, confidence High, signature_severity Major, tag Locky, tag c2, updated_at 2020_10_30, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)