Snort mailing list archives
Win.Trojan.WannaMine
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 19 Feb 2018 18:24:49 +0000
Hi, Below rules are for detecting WannaMine C&C (excluding lateral movement), and file identity detection for PowerShell scripts. Pcap is available. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WannaMine outbound connection attempt"; flow:to_server,established; content:"GET"; content:"/api.php?data="; fast_pattern:only; http_uri; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine; reference:url,https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280; classtype:trojan-activity; sid:9000032; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WannaMine outbound connection attempt"; flow:to_server,established; content:"GET"; content:"/api.php?data="; fast_pattern:only; http_uri; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine; reference:url,https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280; classtype:trojan-activity; sid:9000033; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTITY Microsoft PowerShell script file download request"; flow:to_server,established; content:"GET"; http_method; content:".ps1"; fast_pattern:only; http_uri; pcre:"/\x2eps1([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pwsh; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:9000034; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potential character manipulation in PowerShell script"; flow:to_client,established; file_data; content:"-split"; nocase; content:"foreach"; nocase; content:"convert"; nocase; content:"char"; nocase; content:"toint"; nocase; content:"tostring"; nocase; content:"set-item"; nocase; flowbits:isset,file.pwsh; metadata:ruleset community, service http; classtype:misc-activity; sid:9000035; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potenital character manipulation in PowerShell script"; flow:to_client,established; file_data; content:"foreach"; nocase; content:"convert"; nocase; content:"char"; nocase; content:"toint"; nocase; content:"tostring"; nocase; content:"set-item"; nocase; flowbits:isset,file.pwsh; metadata:ruleset community, service http; classtype:misc-activity; sid:9000036; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft PowerShell script file attachment detected"; flow:to_server,established; content:".ps1"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eps1/i"; flowbits:set,file.pwsh; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:9000037; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.WannaMine Y M via Snort-sigs (Feb 19)
- Re: Win.Trojan.WannaMine Phillip Lee (Feb 20)