From 834599e866ced26b67f457ed1d1a287122a54d8a Mon Sep 17 00:00:00 2001 From: James Date: Fri, 24 May 2019 17:48:06 +0100 Subject: [PATCH] Update experimental.rules --- experimental.rules | 1 + 1 file changed, 1 insertion(+) diff --git a/experimental.rules b/experimental.rules index 1f49e30..5ce421e 100644 --- a/experimental.rules +++ b/experimental.rules @@ -35,3 +35,4 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL (data) downl alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL (data) download with high entropy from dotted-quad host"; flow:from_server,established; filesize:>10240; filemagic:"data"; filemagic:!" data"; flowbits:isset,http.dottedquadhost; luajit:suri-high-entropy.lua; classtype:bad-unknown; sid:380000016; rev:1;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL XORed binary after plugin file download"; flow:from_server,established; file_data; content:!"MZ"; within:2; xbits:isset,ET.pluginfile,track ip_pair; luajit:suri-xor-binary-quick.lua; classtype:bad-unknown; sid:380000017; rev:1;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL PE EXE or DLL binary after plugin file download"; flow:from_server,established; flowbits:isset,ET.http.binary; xbits:isset,ET.pluginfile,track ip_pair; threshold: type both, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:380000018; rev:1;) +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL JS ShellWindows/AddInProcess Win10 DeviceGuardBypass Inbound"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|7b|9BA05972-F6A8-11CF-A442-00A0C90A8F39|7d|"; nocase; fast_pattern; content:"AddInProcess"; content:"|2f|guid|3a|"; distance:0; content:"|2f|pid|3a|"; distance:0; content:"Windows|5c 5c|Microsoft.Net|5c 5c|"; distance:0; classtype:trojan-activity; sid:90000000; rev:1;)