Snort mailing list archives
Specific Office UAs with short URLs
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 25 May 2018 19:22:03 +0000
Hi, I have noticed this behavior with malicious documents to retrieve the next stage payload using the 'HEAD' and 'OPTIONS' http methods, with very short URLs, and in some cases shortened URLs, including the Ammyy RAT rule sent earlier. Admittedly, the rules maybe prone to FPs. A larger scale testing would be nice. Pcaps are available. # -------------------- # Date: 2018-05-16 # Title: Unexpected Office Network Traffic # Reference: https://www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection, app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df # Tests: pcap alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office user-agent in HTTP request to shortened URL"; flow:to_server,established; urilen:<10; content:"OPTIONS"; http_method; content:"User-Agent: Microsoft Office "; fast_pattern:only; http_header; content:!"Accept"; http_header; pcre:"/User-Agent\x3a\sMicrosoft\sOffice\s(Protocol|Existence)\sDiscovery\x0d\x0a/H"; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection; reference:url,app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df; classtype:misc-activity; sid:8000055; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office user-agent in HTTP request to shortened URL"; flow:to_server,established; urilen:<10; content:"HEAD"; http_method; content:"User-Agent: Microsoft Office "; fast_pattern:only; http_header; content:!"Accept"; http_header; content:!"Content-"; http_header; pcre:"/User-Agent\x3a\sMicrosoft\sOffice\s(Protocol|Existence)\sDiscovery\x0d\x0a/H"; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection; reference:url,app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df; classtype:misc-activity; sid:8000056; rev:2;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Specific Office UAs with short URLs Y M via Snort-sigs (May 25)