ET HUNTING Suspicious Base64 Encoded ZIP File in HTML Body (Magic Bytes)

SID: 2019324Rev: 523 views
History
Sourceet/open
CreatedSeptember 30, 2014
UpdatedOctober 6, 2023
Classificationmisc-activity
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Base64 Encoded ZIP File in HTML Body (Magic Bytes)"; flow:established,to_client; file_data; content:"data|3a|"; nocase; content:"base64,UEsDB"; within:60; fast_pattern; flowbits:set,et.exploitkitlanding; reference:url,urlscan.io/result/98d7e72b-67b8-4d7c-9735-c27525b0a550/#transactions; classtype:misc-activity; sid:2019324; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Informational, tag HTML_Smuggling, updated_at 2023_10_06, reviewed_at 2023_08_28, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information; target:src_ip;)

References

urlurlscan.io/result/98d7e72b-67b8-4d7c-9735-c27525b0a550/#transactions

Metadata

attack targetClient_Endpoint
created at2014_09_30
deploymentSSLDecrypt
performance impactLow
confidenceHigh
signature severityInformational
tagHTML_Smuggling
updated at2023_10_06
reviewed at2023_08_28
mitre tactic idTA0005
mitre tactic nameDefense_Evasion
mitre technique idT1027
mitre technique nameObfuscated_Files_or_Information

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!