SIG: ET TROJAN Possible Havoc C2 Framework Beacon Magic Bytes

kevross33 · April 22, 2025, 11:42am

DEADBEEF magic bytes at start of packet. This is pretty rare to appear legitimately but is old hex “joke”. Havoc C2 Framework – A Defensive Operator’s Guide

alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN Possible Havoc C2 Framework Beacon Magic Bytes”; flow:established,to_server; content:“|DE AD BE EF|”; depth:4; classtype:trojan-activity; reference:url,Havoc C2 Framework – A Defensive Operator’s Guide; reference:url,GitHub - HavocFramework/Havoc: The Havoc Framework; sid:134111; rev:1;)

Kind Regards,
Kevin Ross

kevross33 · April 22, 2025, 11:47am

OK actually this may need to be tested. This may be header marking encryption key in HTTP POST header so I don’t think it appears at start of packet based on article

kevross33 · April 22, 2025, 11:56am

Ok, ignore this. Covered by existing sig

rgonzalez · April 22, 2025, 2:33pm

Thanks for checking in!

Topic		Replies	Views
SIG: ET TROJAN Interlock.RansomGroup RAT Initial Callback Rule Signatures	1	66	April 22, 2025
Signature: ET TROJAN Possible HijackLoader Second Stage PNG Rule Signatures	5	304	March 21, 2024
PortStarter Backdoor Sigs Rule Signatures	1	55	October 10, 2024
Keep getting spammed with ET SHELLCODE Common 0a0a0a0a Heap Spray String from an address. Is this anything serious? Feedback & Support	4	82	February 8, 2025
SIG: ET MALWARE Possible Gremlin InfoStealer Data Upload Rule Signatures	2	56	April 29, 2025

SIG: ET TROJAN Possible Havoc C2 Framework Beacon Magic Bytes

Related topics