ET HUNTING RAR file exfiltration over raw TCP

SID: 2035479Rev: 20 views
History
Sourceet/open
CreatedMarch 16, 2022
UpdatedMarch 16, 2022
Classificationmisc-activity
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING RAR file exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"Rar|21 1a 07 00|"; fast_pattern; startswith; content:"|73|"; distance:2; content:"|00 00|"; distance:4; reference:url,forensicswiki.xyz/page/RAR; classtype:misc-activity; sid:2035479; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_16;)

References

urlforensicswiki.xyz/page/RAR

Metadata

attack targetClient_Endpoint
created at2022_03_16
deploymentPerimeter
performance impactModerate
confidenceMedium
signature severityInformational
tagDescription_Generated_By_Proofpoint_Nexus
updated at2022_03_16

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!