Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE QuickBooks Pop-Up Scam - Checkin Response"; flow:established,to_client; flowbits:isset,ET.QBScam.Checkin; http.response_body; content:"|22|status|22 3a|200|2c|"; content:"|22|message|22 3a|"; content:"|22|response|22 3a 7b 22|user|5f|token|5f|id|22 3a 22|"; fast_pattern; content:"|22|access|5f|token|22 3a 22|"; distance:0; reference:md5,2254df2f656b76071da28131b4eca9c4; reference:url,www.esentire.com/blog/threat-actors-using-fake-quickbooks-software-to-scam-organizations; classtype:command-and-control; sid:2049223; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_11_16, deployment Perimeter, performance_impact Low, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_11_16; target:dest_ip;)