Indicator (IOC)
Essential information
- Value / Name
5e4b5219a67e0e1c3e874d3cf570b560bf4b9d27- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 07/09/2023 21:24
- Valid until
- 10/12/2024 20:24
- Pattern type
- yara
- Published
- 21/12/2025 01:23
- Modified
- 21/12/2025 01:23
- Author / Source
- AlienVault
Description
Detects OWA targeting ASPX Webshell samples
Pattern
rule CISA_10430311_03 : ASPX_WEBSHELL webshell
{
meta:
author = "CISA Code & Media Analysis"
incident = "10430311"
date = "2023-03-21"
last_modified = "20230404_1230"
actor = "n/a"
family = "ASPX Webshell"
Capabilities = "n/a"
Malware_Type = "webshell"
Tool_Type = "n/a"
description = "Detects OWA targeting ASPX Webshell samples"
sha256_1 = "6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bdde"
sha256_1 = "47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622"
strings:
$s1 = { 5a 30 32 6a 77 36 43 36 63 55 }
$s2 = { 5a 38 49 30 32 38 33 6e 77 38 }
$s3 = { 4f 57 41 77 65 62 63 6f 6e 66 69 67 }
$s4 = { 54 55 43 53 4f 4e }
$s5 = { 65 76 61 6c }
condition:
3 of them
}
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.