Snort mailing list archives
Re: RAT sigs from CrowdStrike Report
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 16 Jul 2014 20:14:46 +0000
We may be able to add some of yours below, but check out: http://vrt-blog.snort.org/2014/06/detection-for-putterpanda-we-got-this.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On Jul 16, 2014, at 4:05 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: So as soon as started reading the CrowdStrike report (http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf) I tried writing sigs for what's in the report, only to find out later that it had the sigs written already (face-palm). Lesson of the day: RTFM. Not sure if these are already in the current ruleset. Here is my shot at it: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.4HRAT beacon request"; flow:to_server,established; content:"/search?"; http_uri; pcre:"/\/search[0-9]{5}?/"; fast_pattern:only; content:"h1="; http_uri; content:"&h2="; http_uri; content:"&h3="; http_uri; content:"&h4="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf<http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf>; classtype:trojan-activity; sid:100234; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT initial beacon request"; flow:to_server,established; content:"GET"; http_method; content:"/default/connect.aspx?"; http_uri; fast_pattern:only; content:"ID="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 20|; http_header; content:!"Content-Length|3A 20|; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf<http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf>; classtype:trojan-activity; sid:100235; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT C2 registration"; flow:to_server, established; content:"POST"; http_method; content:"/default/connect.aspx?"; http_uri; fast_pattern:only; content:"ID="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 20|; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf<http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf>; classtype:trojan-activity; sid:100236; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT task request"; flow:to_server,established; content:"/getupdate/default.aspx?ID="; http_uri; pcre:"/\x3agetupdate\x3adefault\x2easp\x3fID=[0-9]{5}para1=\x2d[0-9]{8,10}para2=\x2d[0-9]{8-10}para3=\x2d[0-9]{2}/"; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf<http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf>; classtype:trojan-activity; sid:100237; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT beacon request"; flow:to_server,established; content:"/MicrosoftUpdate/ShellEX/KB"; pcre:"/\x3aMicrosoftUpdate\x3aShellEX\x3aKB[0-9]{7}\x3adefault\x2easpx\x3ftmp=/" http_uri; fast_pattern:only; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf<http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf>; classtype:trojan-activity; sid:100238; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT C2 request"; flow:to_server,established; content:"/Microsoft/errorpost"; pcre:"/\x3aMicrosoft\x3aerrorpost[0-9]{7}\x3adefault\x2easpx\x3ftmp=/" http_uri; fast_pattern:only; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf<http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf>; classtype:trojan-activity; sid:100239; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT C2 request"; flow:to_server,established; content:"/MicrosoftUpdate/GetUpdate/KB"; pcre:"/\x3aMicrosoftUpdate\x3aGetUpdate\x3aKB[0-9]{7}\x3adefault\x2easpx\x3ftmp=/" http_uri; fast_pattern:only; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf<http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf>; classtype:trojan-activity; sid:100240; rev:1;) I guess some signatures can be made more generic. YM ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org<http://www.snort.org/> Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- RAT sigs from CrowdStrike Report Y M (Jul 16)
- Re: RAT sigs from CrowdStrike Report Joel Esler (jesler) (Jul 16)
- Re: RAT sigs from CrowdStrike Report Y M (Jul 16)
- Re: RAT sigs from CrowdStrike Report Joel Esler (jesler) (Jul 16)