MALWARE-CNC -- Snort has detected a Comand and Control (CNC) rule violation, most likely for commands and calls for files or other stages from the control server. The alert indicates a host has been infiltrated by an attacker, who is using the host to make calls for files, as a call-home vector for other malware-infected networks, for shuttling traffic back to bot owners, etc.
MALWARE-CNC Win.Trojan.Emotet variant outbound connection attempt
The rule looks for following encrypted traffic that is observed when Win.Trojan.Emotet makes outbound communication with C2 server ``` DF 4F 0F C1 39 E6 C0 61 14 34 FC 72 6F 5E 06 88 57 35 F3 1C D2 56 AE B5 6E 52 93 CC 22 94 39 1E ```
The rule alerts on encrypted outbound traffic generated by Win.Trojan.Emotet
No public information
No known false positives
Cisco Talos Intelligence Group
No rule groups
None
No information provided
None
Tactic: Command and Control
Technique: Standard Application Layer Protocol
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org