Snort mailing list archives
Re: Office documents with commands in metadata
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 2 Jul 2018 17:16:11 +0000
Here is another sample that uses metadata for command execution. The word "powershell" was removed but the rest of the command is still there. I don't have the sample or pcaps for this one. 2dbba3c394ee4562112e45293ecf89e66eb0f559a05bbed4f1f7fa6542ef6490 > https://www.virustotal.com/#/file/2dbba3c394ee4562112e45293ecf89e66eb0f559a05bbed4f1f7fa6542ef6490/detection alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Office document with executable command in metadata"; flow:to_server,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|powershell"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000160; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Office document with executable command in metadata"; flow:to_server,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|net.webclient"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000161; rev:1;) Thanks. YM ________________________________ From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Y M via Snort-sigs <snort-sigs () lists snort org> Sent: Monday, June 11, 2018 10:13 PM To: snort-sigs Subject: [Snort-sigs] Office documents with commands in metadata Hi, This an attempt to detect documents with executable commands (certutil and powershell) in their metadata, which are accessed via embedded VBScript. Lab-generated pcaps of malicious documents are available. I added these under indicator-compromise, but I'm not sure if this is the appropriate category. Oh, and I am not sure if this a good detection idea; more testing is needed. # -------------------- # Date: 2018-06-10 # Title: Office files with executable commands in metadata # Reference: Research # Hashes: # - f5f9f7f800a1f637395f34255e9937a878612573acf61dd41e1022869683e5da (no metadata) # - f87837b933d0cda0b23c1b2be6a05db40d480fe87edd9494f026b351e571f6aa # - fd8a6da88cfb37a8a220f4c5fb5bebc6dc8800e844a8ba843200037c86790c26 # Tests: pcap # Confidence: low # Notes: Seen in documents with CobaltStrike beaconing alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Office document with executable command in metadata"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|certutil "; within:command_depth; nocase; content:" http"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service http; classtype:misc-activity; sid:8000115; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Office document with executable command in metadata"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|powershell"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service http; classtype:misc-activity; sid:8000116; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Re: Office documents with commands in metadata Y M via Snort-sigs (Jul 02)