ET HUNTING Suspected Malicious Telegram Communication (POST)
Sourceet/open
Fileemerging-hunting.rules
CreatedMarch 12, 2020
UpdatedMay 4, 2024
Classificationmisc-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected Malicious Telegram Communication (POST)"; flow:established,to_server ; http.header; header_lowercase; content:"|0d 0a|accept-language|3a 20|en-US|2c 2a 0d 0a|user-agent|3a 20|Mozilla|2f|5|2e|0|0d 0a|"; fast_pattern; http.content_len; byte_test:0,=,40,0,string,dec ; http.request_line; content:"POST /api HTTP/"; startswith; http.content_type; content:"application/x-www-form-urlencoded"; startswith; isdataat:!1,relative ; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/" ; reference:md5,fe5338aee73b3aae375d7192067dc5c8 ; reference:url,www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/ ; classtype:misc-activity; sid:2029634; rev:6; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_05_04;)
References
| md5 | fe5338aee73b3aae375d7192067dc5c8 |
| url | www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/ |
Metadata
attack targetClient_Endpoint
created at2020_03_12
deploymentPerimeter
performance impactLow
confidenceMedium
signature severityInformational
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_05_04
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!