Rule History

SID: 2033065 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 1 • Jun 1, 2021, 12:00 PM

Message:

ET MALWARE Cobalt Strike C2 Profile (news_indexedimages)

Rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike C2 Profile (news_indexedimages)"; flow:established,to_server; http.request_line; content:"GET /news_indexedimages_autrzd/"; startswith; fast_pattern; content:"&usqp=CAU HTTP/1.1"; endswith; http.referer; content:"http://www.google.com"; bsize:21; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|compatible|3b 20|MSIE|20|8|2e|0|3b 20|Windows|20|NT|20|6|2e|1|3b 20|Trident|2f|5|2e|0|29|"; bsize:63; reference:md5,8ece22e6b6e564e3cbfb190bcbd5d3b9; classtype:command-and-control; sid:2033065; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2021_06_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)

Created:

Jun 1, 2021, 12:00 PM

Updated:

Jun 1, 2021, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Sep 21, 2024, 3:00 AM

Filename:

rules/emerging-malware.rules