Re: Office documents with commands in metadata

[Y M via Snort-sigs <snort-sigs () lists snort org>]

Here is another sample that uses metadata for command execution. The word "powershell" was removed but the rest of the 
command is still there. I don't have the sample or pcaps for this one.

2dbba3c394ee4562112e45293ecf89e66eb0f559a05bbed4f1f7fa6542ef6490 > 
https://www.virustotal.com/#/file/2dbba3c394ee4562112e45293ecf89e66eb0f559a05bbed4f1f7fa6542ef6490/detection

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Office document with executable 
command in metadata"; flow:to_server,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; 
nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|powershell"; within:command_depth; nocase; 
content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service imap, service pop3, service smtp; 
classtype:misc-activity; sid:8000160; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Office document with executable 
command in metadata"; flow:to_server,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; 
nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|net.webclient"; within:command_depth; nocase; 
content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service imap, service pop3, service smtp; 
classtype:misc-activity; sid:8000161; rev:1;)

Thanks.
YM
________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Y M via Snort-sigs <snort-sigs () lists snort org>
Sent: Monday, June 11, 2018 10:13 PM
To: snort-sigs
Subject: [Snort-sigs] Office documents with commands in metadata

Hi,

This an attempt to detect documents with executable commands (certutil and powershell) in their metadata, which are 
accessed via embedded VBScript. Lab-generated pcaps of malicious documents are available. I added these under 
indicator-compromise, but I'm not sure if this is the appropriate category. Oh, and I am not sure if this a good 
detection idea; more testing is needed.

# --------------------
# Date: 2018-06-10
# Title: Office files with executable commands in metadata
# Reference: Research
# Hashes:
#     - f5f9f7f800a1f637395f34255e9937a878612573acf61dd41e1022869683e5da (no metadata)
#     - f87837b933d0cda0b23c1b2be6a05db40d480fe87edd9494f026b351e571f6aa
#     - fd8a6da88cfb37a8a220f4c5fb5bebc6dc8800e844a8ba843200037c86790c26
# Tests: pcap
# Confidence: low
# Notes: Seen in documents with CobaltStrike beaconing

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Office document with executable 
command in metadata"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; 
nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|certutil "; within:command_depth; nocase; content:" 
http"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service 
http; classtype:misc-activity; sid:8000115; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Office document with executable 
command in metadata"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; 
nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|powershell"; within:command_depth; nocase; 
content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service http; classtype:misc-activity; 
sid:8000116; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!