ET HUNTING Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC
Sourceet/open
Fileemerging-hunting.rules
CreatedMay 3, 2011
UpdatedMarch 13, 2024
Classificationcommand-and-control
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC"; flow:established,to_client ; file.data; content:"MZ"; distance:0; isdataat:76,relative ; content:"This program cannot be run in DOS mode."; distance:0; content:"HttpAddRequestHeader"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649 ; classtype:command-and-control; sid:2012767; rev:12; metadata:created_at 2011_05_03, confidence Medium, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_13;)
Metadata
created at2011_05_03
confidenceMedium
signature severityUnknown
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_03_13
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!