Rule History

SID: 2057484 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 1 • Nov 14, 2024, 12:00 PM

Message:

ET MALWARE Observed Rogue RDP (UAC-0215) Domain (aws-online.cloud In TLS RDP Traffic)

Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET MALWARE Observed Rogue RDP (UAC-0215) Domain (aws-online.cloud In TLS RDP Traffic)"; flow:established,to_server; content:"|16 03|"; startswith; content:"aws-online.cloud"; distance:0; fast_pattern; reference:url,cert.gov.ua/article/6281076; classtype:command-and-control; sid:2057484; rev:1; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2024_11_14, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_14;)

Created:

Nov 14, 2024, 12:00 PM

Updated:

Nov 14, 2024, 12:00 PM

DB Created:

Dec 3, 2024, 4:00 PM

DB Updated:

Jul 8, 2025, 9:34 PM

Filename:

rules/emerging-malware.rules