Versions (3)
Version DetailsCurrent
Rev: 3 • Sep 27, 2018, 12:00 PMET EXPLOIT_KIT Underminer EK Key POST
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Underminer EK Key POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/"; content:".html"; distance:26; within:5; pcre:"/\/(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html$/i"; http.header; content:"/"; content:".html"; distance:26; within:5; http.referer; content:".html"; endswith; pcre:"/^[^\r\n]+(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html/"; http.cookie; content:"token="; depth:6; http.request_body; content:"{|22|mode|22 3a|10,|22|key|22 3a 22|"; nocase; depth:18; fast_pattern; http.content_type; content:"text/plain|3b|charset=UTF-8"; classtype:exploit-kit; sid:2026421; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, confidence High, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
Sep 27, 2018, 12:00 PM
Aug 25, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-exploit_kit.rules