ET WEB_SERVER Win32/SessionManager2 Backdoor S5CLOSE Command (Inbound)

SID: 2037228Rev: 20 views
History
Sourceet/open
CreatedJune 30, 2022
UpdatedMay 11, 2023
Classificationtrojan-activity
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor S5CLOSE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=S5CLOSE|3b|"; fast_pattern; threshold:type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037228; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_11, reviewed_at 2024_01_08;)

References

urlsecurelist.com/the-sessionmanager-iis-backdoor/106868/

Metadata

attack targetWeb_Server
created at2022_06_30
deploymentPerimeter
malware familySessionManager
confidenceHigh
signature severityMajor
tagDescription_Generated_By_Proofpoint_Nexus
updated at2023_05_11
reviewed at2024_01_08

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!