🐾 - 🔔 RDP connection to .solutions TLD - 👿 Possible Midnight Blizzard malicious RDP connexion to deploy RAT - T1105

SID: 3321398Rev: 19 views
Sourcepawpatrules
CreatedNovember 5, 2024
UpdatedNovember 5, 2024
Classificationcommand-and-control
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🔔 RDP connection to .solutions TLD - 👿 Possible Midnight Blizzard malicious RDP connexion to deploy RAT - T1105"; flow:to_server, stateless; flowbits:isset,pptrls.rdpexter; flowbits:set,pptrls.badrdpexter; flowbits:isnotset,pptrls.badrdpexter; content:"|16 03|"; content:"|2e 73 6f 6c 75 74 69 6f 6e 73|"; fast_pattern; reference:url,https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/; reference:url,https://cert.gov.ua/article/6281076; reference:url,https://malpedia.caad.fkie.fraunhofer.de/actor/unc2452; reference:url,https://attack.mitre.org/techniques/T1105/; dsize:<500; target:src_ip; metadata:attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, signature_severity Major, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer, created_at 2024_11_05, updated_at 2024_11_05; sid:3321398; rev:1; classtype:command-and-control;)

References

urlhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
urlhttps://cert.gov.ua/article/6281076
urlhttps://malpedia.caad.fkie.fraunhofer.de/actor/unc2452
urlhttps://attack.mitre.org/techniques/T1105/

Metadata

attack targetClient_and_Server
affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit
signature severityMajor
mitre tactic idTA0011
mitre tactic nameCommand_and_Control
mitre technique idT1105
mitre technique nameIngress_Tool_Transfer
created at2024_11_05
updated at2024_11_05

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!