New Signature: MalDoc/Gamaredon CnC Activity

alert http $HOME_NET any → $EXTERNAL_NET any (msg:““MalDoc/Gamaredon CnC Activity”; flow:established,to_server; content:“OPTIONS”; http_method; content:”/USER-"; http_uri; depth:6; fast_pattern; content:“Microsoft Office Protocol Discovery”; http_user_agent; classtype:trojan-activity; reference:md5,fa1039ec7779e5c1431fa072e7aa85aa; sid:131111; rev:1;)

1 Like

Hi kevross33 , thank you for sharing your rule with the ET community!

I’ll look into adding it to our ET OPEN ruleset by next week.