TGI HUNT Possible Base64-Encoded MAC Address in Payload

SID: 2610880Rev: 217 views
History
Sourcetgreen/hunting
CreatedFebruary 6, 2026
UpdatedMay 7, 2026
Classificationpolicy-violation
alert tcp any any -> any ![25,465,515,587,631,9100] (msg:"TGI HUNT Possible Base64-Encoded MAC Address in Payload"; content:"|36|"; content:"|36|"; distance:3; within:4; content:"|36|"; distance:3; within:4; content:"|36|"; distance:3; within:4; pcre:"/([A-Za-z0-9+\/]{2}[AEIMQUYcgk]6){4,5}/"; classtype:policy-violation; sid:2610880; rev:2;)

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!