SIG: ET TROJAN Possible Havoc C2 Framework Beacon Magic Bytes

DEADBEEF magic bytes at start of packet. This is pretty rare to appear legitimately but is old hex “joke”. Havoc C2 Framework – A Defensive Operator’s Guide

alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN Possible Havoc C2 Framework Beacon Magic Bytes”; flow:established,to_server; content:“|DE AD BE EF|”; depth:4; classtype:trojan-activity; reference:url,Havoc C2 Framework – A Defensive Operator’s Guide; reference:url,GitHub - HavocFramework/Havoc: The Havoc Framework; sid:134111; rev:1;)

Kind Regards,
Kevin Ross

1 Like

OK actually this may need to be tested. This may be header marking encryption key in HTTP POST header so I don’t think it appears at start of packet based on article

1 Like

Ok, ignore this. Covered by existing sig

1 Like

Thanks for checking in!