🐾 - 🚨 Suspicious TLSv1.3 connection from 🪟 Windows 11 to Amazon S3 server without custom domain name - Possible info-stealing operation - Suricata Rule 3301134 (pawpatrules)

🐾 - 🚨 Suspicious TLSv1.3 connection from 🪟 Windows 11 to Amazon S3 server without custom domain name - Possible info-stealing operation

SID: 3301134Rev: 153 views

Sourcepawpatrules

CreatedFebruary 18, 2024

UpdatedFebruary 18, 2024

Classificationcredential-theft

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious TLSv1.3 connection from 🪟 Windows 11 to Amazon S3 server without custom domain name - Possible info-stealing operation"; flow:to_server, stateless; ja3.hash; content:"3c293bdf2a25c07559b560ba86debc77"; fast_pattern; tls_sni; content:".s3.amazonaws.com"; nocase; endswith; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, former_category MALWARE, created_at 2024_02_18, updated_at 2024_02_18; sid:3301134; rev:1; classtype:credential-theft;)

Metadata

attack targetClient_and_Server

signature severityMajor

affected productWindows_11_Server_32_64_Bit

mitre tactic idTA0006

mitre tactic nameCredential_Access

former categoryMALWARE

created at2024_02_18

updated at2024_02_18

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!