Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possibly Malicious VBS Writing to Persistence Registry Location"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"on|20|error|20|resume|20|next"; nocase; content:".regwrite|20 22|"; distance:0; content:"|5c|software|5c|microsoft|5c|windows|5c|currentversion|5c|run"; within:80; fast_pattern; reference:md5,cac1aedbcb417dcba511db5caae4b8c0; classtype:bad-unknown; sid:2026427; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_28, deployment Perimeter, deployment alert_only, performance_impact Low, signature_severity Major, tag VBS, tag Persistence, updated_at 2023_04_19;)