Snort mailing list archives
Re: [Emerging-Sigs] New C2 Framework NorthStar Rules
From: Jason Taylor via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 19 May 2020 13:34:26 -0400
Hi Hasan! I just wanted to follow up and let you know that these are the rules that we put in for QA and will go out with the rule push today. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Client CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smanage.php?sid="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:11; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Client Data POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getjuice.php"; bsize:13; fast_pattern; http.content_type; content:"multipart/form-data|3b| boundary=---------------------"; startswith; http.header; content:"|0d 0a|Expect|3a 20|100-continue|0d 0a|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:trojan-activity; sid:12; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Interactive Client CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interact.php?slave="; startswith; fast_pattern; content:"&sid="; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.referer; content:"clients.php"; endswith; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:13; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Command Sent to Client"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"setCommand.nonfunction.php"; fast_pattern; endswith; http.referer; content:"interact.php?slave="; content:"&sid="; distance:0; http.request_body; content:"slave="; startswith; content:"&command="; distance:0; content:"&sid="; distance:0; content:"&token="; distance:0; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:14; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Command Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getresponse.php?slave="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.referer; content:"interact.php?slave="; content:"&sid="; distance:0; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:15; rev:1;) We basically just updated the signatures you sent over for Suricata keywords (there are Snort versions of each of these rules as well I just picked the Suricata 5.x versions). We also found additional signature opportunities in the pcap you sent over so we added those rules. We also made some minor performance related tweaks so these will run well across all the Suricata/Snort engines. This was great work, thank you very much for submitting! We always appreciate rule and pcap submissions, as always feel free to send any questions about signatures/pcap/etc. and we will do our best to answer them! JT On Tue, May 19, 2020 at 7:12 AM Jason Taylor <jastaylor () emergingthreats net> wrote:
Hi Hasan! Thank you for the submission. We will take a look and get something into QA for today. JT On Mon, May 18, 2020 at 8:22 PM hasan ekin dumanogullari <ekinduman73 () gmail com> wrote:Greetings! A friend of mine recently released a new open-source command & control framework named "NorthStar", so i wanted to be the first one to submit new rules :) These rules should be enough for hunting default installations of NorthStar C2 You can learn more about the architecture here : https://github.com/EnginDemirbilek/NorthStarC2/wiki/Architecture alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise, NorthStar C2 Connection"; flow:established,to_server; content"POST"; http_method; content:"/getjuice.php"; http_uri classtype:trojan-activity; $id;x; rev:1;} alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise, NorthStar C2 Connection"; flow:established,to_server; content"POST"; http_method; content:"/smanage.php"; http_uri classtype:trojan-activity; $id;100000001; rev:1;} When the stager receives commands from the server it returns output to http://c2server/smanage.php If that command is downloading a file from the compromised machine, then a POST request is made to http://c2server/getjuice.php Also pcap included where NorthStar C2 only communicates via HTTP or HTTPS so i strongly suggest using http.request fiter on wireshark 192.168.0.24 -> C2 Machine 192.168.0.26 -> Victim computer This is my first time submitting so sorry for the issues :) Author : Hasan Ekin Dumanoğulları _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- New C2 Framework NorthStar Rules hasan ekin dumanogullari via Snort-sigs (May 18)
- Re: [Emerging-Sigs] New C2 Framework NorthStar Rules Jason Taylor via Snort-sigs (May 19)
- Re: [Emerging-Sigs] New C2 Framework NorthStar Rules Jason Taylor via Snort-sigs (May 19)
- Re: [Emerging-Sigs] New C2 Framework NorthStar Rules Jason Taylor via Snort-sigs (May 19)