Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Win.Trojan.WannaMine

From: Phillip Lee <phillile () sourcefire com>
Date: Tue, 20 Feb 2018 07:14:08 -0500
Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Can you send along the pcaps that you have? 

Regards,
Phil Lee
Cisco Talos


On Feb 19, 2018, at 1:24 PM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote:

Hi,

Below rules are for detecting WannaMine C&C (excluding lateral movement), and file identity detection for PowerShell 
scripts. Pcap is available.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WannaMine outbound connection 
attempt"; flow:to_server,established; content:"GET"; content:"/api.php?data="; fast_pattern:only; http_uri; 
content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; 
content:!"Referer"; http_header; metadata:ruleset community, service http; 
reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine 
<http://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine>; 
reference:url,https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280 
<https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280>; classtype:trojan-activity; sid:9000032; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WannaMine outbound connection 
attempt"; flow:to_server,established; content:"GET"; content:"/api.php?data="; fast_pattern:only; http_uri; 
content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Content"; 
http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; 
reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine 
<http://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine>; 
reference:url,https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280 
<https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280>; classtype:trojan-activity; sid:9000033; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTITY Microsoft PowerShell script file download 
request"; flow:to_server,established; content:"GET"; http_method; content:".ps1"; fast_pattern:only; http_uri; 
pcre:"/\x2eps1([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pwsh; flowbits:noalert; metadata:ruleset community, service 
http; classtype:misc-activity; sid:9000034; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potential character manipulation in 
PowerShell script"; flow:to_client,established; file_data; content:"-split"; nocase; content:"foreach"; nocase; 
content:"convert"; nocase; content:"char"; nocase; content:"toint"; nocase; content:"tostring"; nocase; 
content:"set-item"; nocase; flowbits:isset,file.pwsh; metadata:ruleset community, service http; 
classtype:misc-activity; sid:9000035; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potenital character manipulation in 
PowerShell script"; flow:to_client,established; file_data; content:"foreach"; nocase; content:"convert"; nocase; 
content:"char"; nocase; content:"toint"; nocase; content:"tostring"; nocase; content:"set-item"; nocase; 
flowbits:isset,file.pwsh; metadata:ruleset community, service http; classtype:misc-activity; sid:9000036; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft PowerShell script file attachment 
detected"; flow:to_server,established; content:".ps1"; fast_pattern:only; content:"Content-Disposition: 
attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eps1/i"; flowbits:set,file.pwsh; 
flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:9000037; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>

Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
<https://snort.org/faq/what-is-the-mailing-list-etiquette>

Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
catch the most <a href=" https://snort.org/downloads/#rule-downloads 
<https://snort.org/downloads/#rule-downloads>">emerging threats</a>!



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: