Versions (4)
Version DetailsCurrent
Rev: 2 • May 13, 2024, 12:00 PMET MALWARE W32/Badspace.Backdoor CnC Activity (POST)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Badspace.Backdoor CnC Activity (POST)"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"|2f|"; http.user_agent; content:"Mozilla|20 2f 20|"; startswith; fast_pattern; content:"MSIE|20|6|2e|0|3b 20|Windows|20|NT|20|5|2e|1|3b 20|SV1|3b|"; distance:0; http.cookie; bsize:>100; pcre:"/^(?:[A-Za-z0-9\x2b\x2f\x3d]){100,}$/"; classtype:trojan-activity; sid:2052558; rev:2; metadata:attack_target Client_Endpoint, created_at 2024_05_13, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2024_08_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
May 13, 2024, 12:00 PM
Aug 19, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-malware.rules