ET JA3 Hash - Possible POSHC2 Client CnC - Suricata Rule 2030366 (et/open)

ET JA3 Hash - Possible POSHC2 Client CnC

SID: 2030366Rev: 14 viewsHistory

Sourceet/open

CreatedJune 19, 2020

UpdatedJune 19, 2020

Classificationunknown

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible POSHC2 Client CnC"; flowbits:set,ET.poshc2.powershellclient; flowbits:noalert; ja3.hash; content:"c12f54a3f91dc7bafd92cb59fe009a35"; reference:url,labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/; classtype:unknown; sid:2030366; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, malware_family PoshC2, performance_impact Low, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_06_19;)

References

url	labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/

Metadata

attack targetClient_Endpoint

created at2020_06_19

deploymentPerimeter

malware familyPoshC2

performance impactLow

confidenceLow

signature severityMajor

tagDescription_Generated_By_Proofpoint_Nexus

updated at2020_06_19

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!