Snort mailing list archives
Duke-APT Sigs
From: Lenny Hansson <security () netcowboy dk>
Date: Fri, 24 Jul 2015 08:52:51 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 For anyone interested: I have been following the different Duke attacks. It seams like they for at least 4 month have been using the same URL construct for hosting payloads. I haven't been able to find any false positives with the rules, and I have replayed about 300GB Internet traffic. I will be very interested if anyone could test/ run them in there own environment to see how well they preform. alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - IOC - Possible APT - CozyBear aka. Duke - GET Payload - ZIP File 3-4 numbers.zip download - efax"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"/eFax/"; http_uri; nocase; pcre:"/\/[0-9]{3,4}\.zip/Ui"; reference:url,http://networkforensic.dk/; reference:url,http://zaufanatrzeciastrona.pl/post/przytulny-mis-w-natarc iu-kampania-cozy-bear-atakuje-takze-polske/; metadata:NF,25032015; priority:1; sid:5017501; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - IOC - Possible APT - CozyBear aka. Duke - GET Payload - ZIP File 3-4 numbers.zip download - fax"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"/fax/"; http_uri; nocase; pcre:"/\/[0-9]{3,4}\.zip/Ui"; reference:url,http://networkforensic.dk/; reference:url,http://zaufanatrzeciastrona.pl/post/przytulny-mis-w-natarc iu-kampania-cozy-bear-atakuje-takze-polske/; metadata:NF,25032015; priority:1; sid:5017502; rev:2;) Other reports about Duke: F-Secure https://www.f-secure.com/weblog/archives/00002822.html Symantec http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-wea pon-duke-armory Paloalto http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-c ozycars-new-ride-is-related-to-seaduke/ Securelist https://securelist.com/blog/research/71443/minidionis-one-more-apt-with- a-usage-of-cloud-drives/ - -- Venlig hilsen / Best Regards Lenny Hansson *********************************** Web: networkforensic.dk *********************************** E-mail: security () netcowboy dk Key-ID: 1527E63D *********************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVseDDAAoJEAUh+LgVJ+Y9nFwIAJTm762zyHMcAzWuDbapDSTP xh4BVnI6Cqk5gITusD56sT+efKlEhCDUN0prMlr0ljMmCZwUhmZXVnjpvwP/pnds 1ta+0ydROrHT+zisfsfKFb/zESfJxZx2P/HBHAw7UzwkhZ1rUBdEt2ql/e8xw0yV gkSkg1wZkjcINp6EYfu3pMNu/73IOtm32c8HIPFIPePtVTBX+sGOyLD87gKq+R6j 9HGe4XzOX6bRvKNHmJrTX0tG4UU2aTrW+LNdYfDnmDmqgv/ma3rFlakmMGw5AcVH oJ4EOyiUpZMZ9V1PXc5k3q45QKHLU4f1o8KIpfBIWGoxPEKFCa+TbPuYY98nkzI= =iTWV -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Duke-APT Sigs Lenny Hansson (Jul 24)