Snort mailing list archives
Koadic signatures
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 12 Jun 2020 09:24:31 +0000
Hello, Below signatures are for Koadic post-exploitation framework C&C. Looks something like: DOC | URL > Pull MSOLE2 (embedded .BAT files) > Pull another .BAT file > C&C to Koadic server (HTML/JS) > Drop executable. PCAPs available. Snort 2: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; flow:to_server,established; content:"encoder:"; http_header; content:"shellchcp:"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000000; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; flow:to_server,established; content:"errdesc:"; http_header; content:"errno:"; http_header; content:"errname:"; http_header; content:"Referer:"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000001; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C download payload outbound connection"; flow:to_server,established; content:"X-UploadFileJob:"; fast_pattern:only; http_header; content:"Referer:"; http_header; pcre:"/X-UploadFileJob:\s(true|false)\x0d\x0a/H"; metadata:ruleset community, service http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000002; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; flow:to_server,established; content:"|5C|./mshtml,RunHTMLApplication"; fast_pattern:only; http_uri; content:"/html?"; metadata:ruleset community, service http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000003; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; flow:to_server,established; content:"=stage|3B|"; http_uri; content:"/html?"; http_uri; content:"Referer:"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000004; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework Windows host information exfiltration"; flow:to_server,established; content:"~~~Windows"; http_client_body; content:"~~~AMD"; distance:0; http_client_body; content:"~~~C:|5C|Users"; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000005; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Windows route information exfiltration"; flow:to_server,established; content:"Interface List"; http_client_body; content:"IPv4 Route Table"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000006; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Windows accounts information exfiltration"; flow:to_server,established; content:"NT AUTHORITY|5C|"; http_client_body; content:"CONSOLE LOGON"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000007; rev:1;) Snort 3: alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; flow:to_server,established; http_header; content:"encoder:"; content:"shellchcp:",fast_pattern; metadata:ruleset community; service:http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000000; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; flow:to_server,established; http_header; content:"errdesc:",fast_pattern; content:"errno:"; content:"errname:"; content:"Referer"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000001; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C download payload outbound connection"; flow:to_server,established; http_header; content:"X-UploadFileJob:",fast_pattern; content:"Referer:"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000002; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; flow:to_server,established; http_uri; content:"\./mshtml,RunHTMLApplication",fast_pattern; content:"/html?"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000003; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; flow:to_server,established; http_uri; content:"=stage|3B|"; content:"/html?"; http_header; content:"Referer:"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000004; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework Windows host information exfiltration"; flow:to_server,established; http_client_body; content:"~~~Windows"; content:"~~~AMD",distance 0; content:"~~~C:\Users",distance 0; metadata:ruleset community; service:http; reference:url,attack.mitre.org/software/S0250; classtype:trojan-activity; sid:1000005; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Windows route information exfiltraion"; flow:to_server,established; content:"Interface List"; content:"IPv4 Route Table"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:1000006; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Windows User and Groups information exfiltration"; flow:to_server,established; content:"NT AUTHORITY|5C|"; content:"CONSOLE LOGON"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:1000007; rev:1; ) Thank you.
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Koadic signatures Y M via Snort-sigs (Jun 12)
- Re: Koadic signatures Matthew Mickel (Jun 12)