Hi all,
I was wondering whether anyone has any Security Analytics custom drills that are good at narrowing down sessions associated specifically with Redkit exploit pack while filtering out benign traffic? I was previously using NetWitness and the following custom regex to identify potential URLs which may be Redkit landing pages or exploit downloads:
filename regex [a-z0-9]{4}\.html\?.
filename regex [a-z]{4}\.html?\?[a-z]=[0-9]+$
action = get && (filename regex [a-z0-9]{4}\.jar\?.|| [a-z0-9]{4}\.jnlp\?.)
I was wondering if anyone knows any other IoCs which could be used to pinpoint potential redkit infections or as a starting point hone in on suspicious sessions which can then be narrowed down with additional drills?
Cheers
Kit
