🐾 - 🚨 Suspicious HTTP user agent connection to checkip.dyndns.org service - Possible public IP address gathering - T1590.005 - Seen in 🐍 SnakeKeylogger ⌨ attack
Sourcepawpatrules
CreatedAugust 8, 2024
UpdatedAugust 14, 2024
Classificationexternal-ip-check
alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"🐾 - 🚨 Suspicious HTTP user agent connection to checkip.dyndns.org service - Possible public IP address gathering - T1590.005 - Seen in 🐍 SnakeKeylogger ⌨ attack"; flow:to_server, stateless; http.method; content:"GET"; http.user_agent; content:"|4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 32 3b 20 2e 4e 45 54 20 43 4c 52 31 2e 30 2e 33 37 30 35 3b 29|"; fast_pattern; http.host.raw; content:"checkip.dyndns.org"; reference:url,https://attack.mitre.org/techniques/T1590/005/; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger; reference:url,https://samples.vx-underground.org/Papers/Malware%20Defense/Malware%20Analysis/2024/2024-06-30%20-%20Deep%20Analysis%20of%20Snake%20(404%20keylogger).pdf; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1590_05, mitre_technique_name Gather_Victim_Network_Information_IP_Addresses, created_at 2024_08_08, updated_at 2024_08_14; sid:3321326; rev:2; classtype:external-ip-check;)
References
Metadata
attack targetClient_and_Server
signature severityMajor
affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit
mitre tactic idTA0043
mitre tactic nameReconnaissance
mitre technique idT1590_05
mitre technique nameGather_Victim_Network_Information_IP_Addresses
created at2024_08_08
updated at2024_08_14
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!