Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Win.Trojan.WannaMine

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 19 Feb 2018 18:24:49 +0000
Hi,


Below rules are for detecting WannaMine C&C (excluding lateral movement), and file identity detection for PowerShell 
scripts. Pcap is available.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WannaMine outbound connection 
attempt"; flow:to_server,established; content:"GET"; content:"/api.php?data="; fast_pattern:only; http_uri; 
content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; 
content:!"Referer"; http_header; metadata:ruleset community, service http; 
reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine; 
reference:url,https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280; classtype:trojan-activity; sid:9000032; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WannaMine outbound connection 
attempt"; flow:to_server,established; content:"GET"; content:"/api.php?data="; fast_pattern:only; http_uri; 
content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Content"; 
http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; 
reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine; 
reference:url,https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280; classtype:trojan-activity; sid:9000033; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTITY Microsoft PowerShell script file download 
request"; flow:to_server,established; content:"GET"; http_method; content:".ps1"; fast_pattern:only; http_uri; 
pcre:"/\x2eps1([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pwsh; flowbits:noalert; metadata:ruleset community, service 
http; classtype:misc-activity; sid:9000034; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potential character manipulation in 
PowerShell script"; flow:to_client,established; file_data; content:"-split"; nocase; content:"foreach"; nocase; 
content:"convert"; nocase; content:"char"; nocase; content:"toint"; nocase; content:"tostring"; nocase; 
content:"set-item"; nocase; flowbits:isset,file.pwsh; metadata:ruleset community, service http; 
classtype:misc-activity; sid:9000035; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potenital character manipulation in 
PowerShell script"; flow:to_client,established; file_data; content:"foreach"; nocase; content:"convert"; nocase; 
content:"char"; nocase; content:"toint"; nocase; content:"tostring"; nocase; content:"set-item"; nocase; 
flowbits:isset,file.pwsh; metadata:ruleset community, service http; classtype:misc-activity; sid:9000036; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft PowerShell script file attachment 
detected"; flow:to_server,established; content:".ps1"; fast_pattern:only; content:"Content-Disposition: 
attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eps1/i"; flowbits:set,file.pwsh; 
flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:9000037; rev:1;)

Thanks.
YM


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: