🐾 - 🚨 Suspicious Windows 11 🪟 TLSv1.2 connection to ipify.org API - Possible public IP address gathering 👀 - T1590.005 - Seen in Agent Tesla 👾 attack - Suricata Rule 3321334 (pawpatrules)

🐾 - 🚨 Suspicious Windows 11 🪟 TLSv1.2 connection to ipify.org API - Possible public IP address gathering 👀 - T1590.005 - Seen in Agent Tesla 👾 attack

SID: 3321334Rev: 2109 viewsHistory

Sourcepawpatrules

CreatedAugust 12, 2024

UpdatedAugust 13, 2024

Classificationexternal-ip-check

alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"🐾 - 🚨 Suspicious Windows 11 🪟 TLSv1.2 connection to ipify.org API - Possible public IP address gathering 👀 - T1590.005 - Seen in Agent Tesla 👾 attack"; flow:to_server, stateless; ja3.hash; content:"6a5d235ee78c6aede6a61448b4e9ff1e"; fast_pattern; ssl_version:tls1.2; tls_sni; content:"api.ipify.org"; nocase; reference:url,https://attack.mitre.org/techniques/T1590/005/; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1590_05, mitre_technique_name Gather_Victim_Network_Information_IP_Addresses, created_at 2024_08_13, updated_at 2024_08_13; sid:3321334; rev:2; classtype:external-ip-check;)

References

url	https://attack.mitre.org/techniques/T1590/005/
url	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Metadata

attack targetClient_and_Server

signature severityMajor

affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit

mitre tactic idTA0043

mitre tactic nameReconnaissance

mitre technique idT1590_05

mitre technique nameGather_Victim_Network_Information_IP_Addresses

created at2024_08_13

updated at2024_08_13

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!