Versions (3)
Version DetailsCurrent
Rev: 1 • May 9, 2023, 12:00 PMET ATTACK_RESPONSE MrRobot LYON Admin Panel Inbound
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE MrRobot LYON Admin Panel Inbound"; flow:established,to_client; http.response_body; content:"|3c|title|3e|Login|3c 2f|title|3e|"; content:"class|3d 22|card|2d|title|20|text|2d|center|22 3e|Panel|20|Login|3c 2f|div|3e|"; fast_pattern; content:"method|3d 22|post|22 20|action|3d 22|user|2e|php|22 3e|"; content:"id|3d 22|exampleInputPassword1|22 20|name|3d 22|password|22 20|placeholder|3d 22|Password|22 3e|"; content:"|3c|input|20|type|3d 22|submit|22 20|name|3d 22|login|22 20|value|3d 22|Sign|20|in|22 20|class|3d 22|btn|20|btn|2d|primary|20|btn|2d|block|22 2f 3e|"; reference:url,twitter.com/luc4m/status/1655886075640913922; classtype:trojan-activity; sid:2045624; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_05_09, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_09;)
May 9, 2023, 12:00 PM
May 9, 2023, 12:00 PM
May 9, 2023, 9:00 PM
Aug 22, 2025, 9:34 PM
rules/emerging-attack_response.rules