Back to Rule

Rule History

SID: 2034463 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 1Nov 15, 2021, 12:00 PM

ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M5

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M5"; flow:established,to_server; http.request_line; content:"GET /jquery-3.3.2.slim.min.js HTTP/1.1"; fast_pattern; http.accept; content:"text/html,application/xhtml+xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:47; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:url,twitter.com/fr0s7_/status/1458150977278726147; reference:md5,a8e97752bb385cc263d89350518633c2; classtype:trojan-activity; sid:2034463; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, malware_family Cobalt_Strike, confidence Medium, signature_severity Major, updated_at 2021_11_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)

Nov 15, 2021, 12:00 PM

Nov 15, 2021, 12:00 PM

Sep 21, 2024, 3:00 AM

Sep 21, 2024, 3:00 AM

rules/emerging-malware.rules