Snort mailing list archives
Re: [Emerging-Sigs] New C2 Framework NorthStar Rules
From: Jason Taylor via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 19 May 2020 07:12:55 -0400
Hi Hasan! Thank you for the submission. We will take a look and get something into QA for today. JT On Mon, May 18, 2020 at 8:22 PM hasan ekin dumanogullari <ekinduman73 () gmail com> wrote:
Greetings! A friend of mine recently released a new open-source command & control framework named "NorthStar", so i wanted to be the first one to submit new rules :) These rules should be enough for hunting default installations of NorthStar C2 You can learn more about the architecture here : https://github.com/EnginDemirbilek/NorthStarC2/wiki/Architecture alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise, NorthStar C2 Connection"; flow:established,to_server; content"POST"; http_method; content:"/getjuice.php"; http_uri classtype:trojan-activity; $id;x; rev:1;} alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise, NorthStar C2 Connection"; flow:established,to_server; content"POST"; http_method; content:"/smanage.php"; http_uri classtype:trojan-activity; $id;100000001; rev:1;} When the stager receives commands from the server it returns output to http://c2server/smanage.php If that command is downloading a file from the compromised machine, then a POST request is made to http://c2server/getjuice.php Also pcap included where NorthStar C2 only communicates via HTTP or HTTPS so i strongly suggest using http.request fiter on wireshark 192.168.0.24 -> C2 Machine 192.168.0.26 -> Victim computer This is my first time submitting so sorry for the issues :) Author : Hasan Ekin Dumanoğulları _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- New C2 Framework NorthStar Rules hasan ekin dumanogullari via Snort-sigs (May 18)
- Re: [Emerging-Sigs] New C2 Framework NorthStar Rules Jason Taylor via Snort-sigs (May 19)
- Re: [Emerging-Sigs] New C2 Framework NorthStar Rules Jason Taylor via Snort-sigs (May 19)
- Re: [Emerging-Sigs] New C2 Framework NorthStar Rules Jason Taylor via Snort-sigs (May 19)