Snort mailing list archives

Re: RAT sigs from CrowdStrike Report

From: Y M <snort () outlook com>
Date: Wed, 16 Jul 2014 20:21:10 +0000

Yes, now I remember reading this post (another face-palm) and double RTFM.
Thanks Joel.YM

From: jesler () cisco com
To: snort () outlook com
CC: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] RAT sigs from CrowdStrike Report
Date: Wed, 16 Jul 2014 20:14:46 +0000






We may be able to add some of yours below, but check out:



http://vrt-blog.snort.org/2014/06/detection-for-putterpanda-we-got-this.html



--

Joel Esler

Open Source Manager

Threat Intelligence Team Lead

Vulnerability Research Team




On Jul 16, 2014, at 4:05 PM, Y M <snort () outlook com> wrote:



So as soon as started reading the CrowdStrike report 
(http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf) I
 tried writing sigs for what's in the report, only to find out later that it had the sigs written already (face-palm). 
Lesson of the day: RTFM.



Not sure if these are already in the current ruleset.





Here is my shot at it:




alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.4HRAT beacon request"; 
flow:to_server,established; content:"/search?"; http_uri; pcre:"/\/search[0-9]{5}?/"; fast_pattern:only;
 content:"h1="; http_uri; content:"&h2="; http_uri; content:"&h3="; http_uri; content:"&h4="; http_uri; metadata:policy 
balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100234; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT initial beacon request"; 
flow:to_server,established; content:"GET"; http_method; content:"/default/connect.aspx?";
 http_uri; fast_pattern:only; content:"ID="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 
20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 
20|; http_header; content:!"Content-Length|3A
 20|; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100235; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT C2 registration"; 
flow:to_server, established; content:"POST"; http_method; content:"/default/connect.aspx?";
 http_uri; fast_pattern:only; content:"ID="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 
20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 
20|; http_header; metadata:policy
 balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100236; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT task request"; 
flow:to_server,established; content:"/getupdate/default.aspx?ID="; http_uri; 
pcre:"/\x3agetupdate\x3adefault\x2easp\x3fID=[0-9]{5}para1=\x2d[0-9]{8,10}para2=\x2d[0-9]{8-10}para3=\x2d[0-9]{2}/";
 content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100237; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT beacon request"; 
flow:to_server,established; content:"/MicrosoftUpdate/ShellEX/KB"; 
pcre:"/\x3aMicrosoftUpdate\x3aShellEX\x3aKB[0-9]{7}\x3adefault\x2easpx\x3ftmp=/"
 http_uri; fast_pattern:only;  content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 
5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100238; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT C2 request"; 
flow:to_server,established; content:"/Microsoft/errorpost"; 
pcre:"/\x3aMicrosoft\x3aerrorpost[0-9]{7}\x3adefault\x2easpx\x3ftmp=/"
 http_uri; fast_pattern:only;  content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 
5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100239; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT C2 request"; 
flow:to_server,established; content:"/MicrosoftUpdate/GetUpdate/KB"; 
pcre:"/\x3aMicrosoftUpdate\x3aGetUpdate\x3aKB[0-9]{7}\x3adefault\x2easpx\x3ftmp=/"
 http_uri; fast_pattern:only;  content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 
5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100240; rev:1;)



I guess some signatures can be made more generic.



YM




------------------------------------------------------------------------------

Want fast and easy access to all the code in your enterprise? Index and

search up to 200,000 lines of code with a free copy of Black Duck

Code Sight - the same software that powers the world's largest code

search on Ohloh, the Black Duck Open Hub! Try it now.

http://p.sf.net/sfu/bds_______________________________________________

Snort-sigs mailing list

Snort-sigs () lists sourceforge net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

RAT sigs from CrowdStrike Report Y M (Jul 16)
- Re: RAT sigs from CrowdStrike Report Joel Esler (jesler) (Jul 16)
  - Re: RAT sigs from CrowdStrike Report Y M (Jul 16)