ET HUNTING Suspected Malicious Telegram Communication (POST)

7.0.35.0SID: 2029634Rev: 6Enabled1 views
Sourceet/open
Fileemerging-hunting.rules
CreatedMarch 12, 2020
UpdatedMay 4, 2024
Classificationmisc-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected Malicious Telegram Communication (POST)"; flow:established,to_server; http.header; header_lowercase; content:"|0d 0a|accept-language|3a 20|en-US|2c 2a 0d 0a|user-agent|3a 20|Mozilla|2f|5|2e|0|0d 0a|"; fast_pattern; http.content_len; byte_test:0,=,40,0,string,dec; http.request_line; content:"POST /api HTTP/"; startswith; http.content_type; content:"application/x-www-form-urlencoded"; startswith; isdataat:!1,relative; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,fe5338aee73b3aae375d7192067dc5c8; reference:url,www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/; classtype:misc-activity; sid:2029634; rev:6; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_05_04;)

Metadata

attack targetClient_Endpoint
created at2020_03_12
deploymentPerimeter
performance impactLow
confidenceMedium
signature severityInformational
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_05_04

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!