🐾 - 🚨 Suspicious Windows 🪟 (WCF) Net.TCP Port Sharing to Internet (seen in 😈 RedLine Stealer attacks)

SID: 3300120Rev: 30 views
Sourcepawpatrules
CreatedAugust 15, 2023
UpdatedAugust 17, 2023
Classificationpolicy-violation
alert tcp-pkt any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious Windows 🪟 (WCF) Net.TCP Port Sharing to Internet (seen in 😈 RedLine Stealer attacks)"; flow:to_server, stateless; content:"|00 01 00 01 02 02|"; content:"|6e 65 74 2e 74 63 70 3a 2f 2f|"; fast_pattern; distance:1; content:"|2f 03 08 0c|"; endswith; reference:url,https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing; reference:url,https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update; reference:url,https://muha2xmad.github.io/malware-analysis/fullredline/; target:src_ip; metadata:created_at 2023_08_15, updated_at 2023_08_17; sid:3300120; rev:3; classtype:policy-violation;)

References

urlhttps://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing
urlhttps://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update
urlhttps://muha2xmad.github.io/malware-analysis/fullredline/

Metadata

created at2023_08_15
updated at2023_08_17

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!