ET HUNTING Possible WikiLoader Activity (GET)
Sourceet/open
Fileemerging-hunting.rules
CreatedJuly 31, 2023
UpdatedApril 27, 2024
Classificationtrojan-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible WikiLoader Activity (GET)"; flow:established,to_server ; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; pcre:"/^[0-9]{1,2}$/R" ; http.header_names; strip_pseudo_headers; to_lowercase; content:"|0d 0a|accept|0d 0a|cookie|0d 0a|"; startswith; content:!"|0d 0a|referer|0d 0a|"; http.user_agent; content:"Intel Mac OS X"; reference:url,www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion ; reference:url,app.any.run/tasks/f98aa2c5-deae-408a-8e86-530e7961dfb6/ ; reference:md5,f69b31ef39887d6e04d4e972d69bd450 ; classtype:trojan-activity; sid:2046971; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_07_31, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_27; target:src_ip;)
References
Metadata
attack targetClient_Endpoint
created at2023_07_31
deploymentSSLDecrypt
performance impactSignificant
confidenceMedium
signature severityInformational
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_04_27
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!