SIGNATURE: MalDoc/Gamaredon CnC: (ADMIN- prepend)

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN MalDoc/Gamaredon CnC Activity”; flow:established,to_server; content:“OPTIONS”; http_method; content:“/ADMIN-”; http_uri; depth:7; fast_pattern; content:“Microsoft Office Protocol Discovery”; http_user_agent; classtype:trojan-activity; reference:md5,b7fe95ccd715a8dd6eb7519ff15e1fc5; sid:123311; rev:1;)

Kind Regards,
Kevin Ross

3 Likes

Thanks Kevin, We’ll get this in today’s release! :fire:

2046949 - ET MALWARE MalDoc/Gamaredon CnC Activity M4