Versions (2)
Version DetailsCurrent
Rev: 2 • Jan 9, 2025, 12:00 PMET MALWARE PHASEJAM Web Shell Activity Observed M1
alert http any any -> $HOME_NET any (msg:"ET MALWARE PHASEJAM Web Shell Activity Observed M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/jam/getComponent.cgi?"; fast_pattern; startswith; pcre:"/^.*?\w+\x3d[1-5][\x26\s]/R"; reference:url,cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day; classtype:trojan-activity; sid:2059096; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_09, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag WebShell, updated_at 2026_05_07, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:dest_ip;)
Jan 9, 2025, 12:00 PM
May 7, 2026, 12:00 PM
Jan 9, 2025, 10:34 PM
May 8, 2026, 9:35 PM
rules/emerging-malware.rules