security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rule: havana ransomware UA

Browse Source
This commit is contained in:
Florian Roth
2022-09-05 16:50:26 +02:00
parent aa0545b6c7
commit 69308b035a
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/proxy/proxy_ua_malware.yml
+2 -1
View File
@@ -10,7 +10,7 @@ references:
- https://perishablepress.com/blacklist/ua-2013.txt
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
date: 2017/07/08
modified: 2021/11/27
modified: 2022/09/05
logsource:
category: proxy
detection:
@@ -75,6 +75,7 @@ detection:
- 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
- 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
condition: selection
fields:
- ClientIP