[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] CobaltStrike payload
From:       Attack Detection <attackdetectionteam () gmail ! com>
Date:       2017-09-26 12:22:45
Message-ID: CALJOUfY=gYx663TYNu4phgJ4rBbrkME=wd_R-LRAM8codOP9ww () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET TROJAN
[PTsecurity] Cobalt Strike payload";flow: established, to_client;
content:"200"; http_stat_code; content: "|fce8 0000 0000 eb|";
http_server_body;depth: 7; classtype: trojan-activity; sid: 10000749; rev:
1;)

PCAPs:
https://www.dropbox.com/sh/n3tglwutjyczfp2/AAAouNbnh32Nj2xrqzF2wzzya?dl=0

- John.

[Attachment #5 (text/html)]

<div dir="ltr"><div>alert http $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg: \
&quot;ET TROJAN [PTsecurity] Cobalt Strike payload&quot;;flow: established, \
to_client; content:&quot;200&quot;; http_stat_code; content: &quot;|fce8 0000 0000 \
eb|&quot;; http_server_body;depth: 7; classtype: trojan-activity; sid: 10000749; rev: \
1;)<br><br>PCAPs:<br><a \
href="https://www.dropbox.com/sh/n3tglwutjyczfp2/AAAouNbnh32Nj2xrqzF2wzzya?dl=0">https \
://www.dropbox.com/sh/n3tglwutjyczfp2/AAAouNbnh32Nj2xrqzF2wzzya?dl=0</a><br><br></div>- \
John.<br></div>


[Attachment #6 (text/plain)]

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net



[prev in list] [next in list] [prev in thread] [next in thread]