Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT FlowCloud Hardcoded Request (POST)"; flow:established,to_server; content:"|0d 0a|X-Requested-With|3a 20|ShockwaveFlash/20.0.0.306|0d 0a|"; http.request_line; content:"POST /messagebroker/amf HTTP/1.1"; fast_pattern; http.referer; content:"http|3a 2f 2f|s.peheavens.com/html/portlet/ext/draco/resources/draco_manager.swf/"; http.cookie; content:"COOKIE_SUPPORT="; startswith; content:"JSESSIONID="; distance:0; content:"COMPANY_ID="; distance:0; content:"ID="; distance:0; content:"PASSWORD="; distance:0; content:"LOGIN="; distance:0; content:"SCREEN_NAME"; distance:0; content:"GUEST_LANGUAGE_ID="; distance:0; reference:url,www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/; classtype:trojan-activity; sid:2036391; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TA410, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_04_27;)