🐾 - 💀 Suspicious svchost.dll downloading via HTTP - Possible 👿 Cobalt Strike payload download 💾 - Seen in IcedID attack - Suricata Rule 3300693 (pawpatrules)

🐾 - 💀 Suspicious svchost.dll downloading via HTTP - Possible 👿 Cobalt Strike payload download 💾 - Seen in IcedID attack

SID: 3300693Rev: 20 views

Sourcepawpatrules

CreatedAugust 3, 2022

UpdatedDecember 3, 2022

Classificationtrojan-activity

alert http any any -> $EXTERNAL_NET any (msg:"🐾 - 💀 Suspicious svchost.dll downloading via HTTP - Possible 👿 Cobalt Strike payload download 💾 - Seen in IcedID attack"; flow:to_server, stateless; http.method; content:"GET"; content:"/svchost.dll"; fast_pattern; reference:url,https://isc.sans.edu/diary//28884; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid; metadata:created_at 2022_08_03, updated_at 2022_12_03; sid:3300693; rev:2; classtype:trojan-activity;)

References

url	https://isc.sans.edu/diary//28884
url	https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid

🐾 - 💀 Suspicious svchost.dll downloading via HTTP - Possible 👿 Cobalt Strike payload download 💾 - Seen in IcedID attack

References

Metadata

Comments (0)