Versions (3)
Version DetailsCurrent
Rev: 3 • Jun 2, 2022, 12:00 PMET DELETED TA457 Related Activity M4 (POST)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TA457 Related Activity M4 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Cookie|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; fast_pattern; content:!"Referer"; http.content_type; content:"application/octet-stream"; bsize:24; http.cookie; pcre:"/^[A-Z]=[A-Za-z/+0-9=]{200,400}$/"; reference:md5,214011a0d57b1d8238532be4f6414f58; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2036759; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, deprecation_reason False_Positive, malware_family TA457, performance_impact Moderate, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_17;)
Jun 2, 2022, 12:00 PM
Jun 17, 2022, 12:00 PM
Jun 2, 2022, 11:00 PM
Sep 2, 2025, 9:35 PM
rules/emerging-deleted.rules