🐾 - 🚨 Suspicious Putty / Plink SSH connection to Internet 🌐 - 👀 used including by Play & Lockbit ransomware group 👿

SID: 3300124Rev: 20 views
Sourcepawpatrules
CreatedDecember 21, 2022
UpdatedJuly 9, 2023
Classificationpolicy-violation
alert ssh any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious Putty / Plink SSH connection to Internet 🌐 - 👀 used including by Play & Lockbit ransomware group 👿"; flow:to_server, stateless; threshold:type limit, track by_src,count 1, seconds 3600; ssh.software; content:"putty_"; fast_pattern; nocase; reference:url,https://www.chiark.greenend.org.uk/~sgtatham/putty/; reference:url,https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/; reference:url,https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a; metadata:created_at 2022_12_21, updated_at 2023_07_09; sid:3300124; rev:2; classtype:policy-violation;)

References

urlhttps://www.chiark.greenend.org.uk/~sgtatham/putty/
urlhttps://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
urlhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a

Metadata

created at2022_12_21
updated at2023_07_09

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!