🐾 - 🚨 Suspicious TLSv1.0 Powershell 🪟 Windows persistent flow - Possible 🦹 Villain C2 or Hoaxshell - Suricata Rule 3300719 (pawpatrules)

🐾 - 🚨 Suspicious TLSv1.0 Powershell 🪟 Windows persistent flow - Possible 🦹 Villain C2 or Hoaxshell

SID: 3300719Rev: 10 views

Sourcepawpatrules

CreatedDecember 6, 2022

UpdatedDecember 6, 2022

Classificationtrojan-activity

alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Suspicious TLSv1.0 Powershell 🪟 Windows persistent flow - Possible 🦹 Villain C2 or Hoaxshell"; flow:to_server, stateless; ssl_version:tls1.0; threshold:type threshold, track by_src, count 10, seconds 20; ja3.hash; content:"fc54e0d16d9764783542f0146a98b300"; reference:url,https://github.com/t3l3machus/hoaxshell; reference:url,https://github.com/t3l3machus/Villain; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_12_06, updated_at 2022_12_06; sid:3300719; rev:1; classtype:trojan-activity;)

References

url	https://github.com/t3l3machus/hoaxshell
url	https://github.com/t3l3machus/Villain

Metadata

affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit

attack targetClient_Endpoint

created at2022_12_06

updated at2022_12_06

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!