Multiple signatures 013

[Y M via Snort-sigs <snort-sigs () lists snort org>]

Hi,

Yet another DNS tunneling sample and signatures below. Also adding signatures for CVE-2018-8414 in PDFs. Pcaps are 
available.

Should have worked on these before forwarding 012. Sorry for the noise :).

Thanks.
YM

# --------------------
# Date: 2018-08-27
# Title: CVE-2018-8414 Samples In The Wild
# Reference:
#    - http://sketchymoose.blogspot.com/2018/08/cve-2018-8414-samples-in-wild.html
# Hashes:
#    - 8efd5b60d6d60ebbee17c25936a246d06708759c11a059b3bc8216465fa44651
#    - 52f53561f68b971cc327348f1746fca9413f904260a764f0d372cf5588ed1ace
# Tests: pcap (file2pcap)
# Confidence: medium
# Notes:
#    1. Signatures are only for the PDF transfer. Wasn't able to get a hold of the DOCX file.
#    2. Each signature has a PCRE and NON-PCRE variant.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF with embedded 
SettingContent-ms file type download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; 
content:".SettingContent-ms)"; fast_pattern:only; content:"stream"; within:1000; nocase; content:"<"; distance:0; 
nocase; pcre:"/<[\?xml\x20]/i"; metadata:ruleset community, service http; reference:cve,2018-8414; 
reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; 
sid:8000303; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF with embedded 
SettingContent-ms file type download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; 
content:".exportDataObject("; content:".SettingContent-ms|22|"; fast_pattern:only; content:"nLaunch"; distance:0; 
metadata:ruleset community, service http; reference:cve,2018-8414; 
reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; 
sid:8000304; rev:1;)

alert tcp any any -> any any (msg:"INDICATOR-COMPROMISE PDF with embedded SettingContent-ms file type download 
attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".SettingContent-ms)"; 
fast_pattern:only; content:"stream"; within:1000; nocase; content:"3c"; distance:0; nocase; pcre:"/3c[3f786d6c\x20]/i"; 
metadata:ruleset community, service smtp; reference:cve,2018-8414; 
reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; 
sid:8000305; rev:1;)

alert tcp any any -> any any (msg:"INDICATOR-COMPROMISE PDF with embedded SettingContent-ms file type download 
attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".exportDataObject("; 
content:".SettingContent-ms|22|"; fast_pattern:only; content:"nLaunch"; distance:0; metadata:ruleset community, service 
smtp; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; 
classtype:attempted-user; sid:8000306; rev:1;)

# --------------------
# Date: 2018-08-27
# Title: C&C Commands via DNS TXT Tunneling
# Tests: pcap
# Reference: Research
# Hashes:
#    - ab8599b16ea4a88190487b33c3cc5516f1d4274d3fc40323cdc3cfa441d0c4f1
# Notes:
#    1. Unique commands:
#       N0000>0
#       S000s>10110
#       C0000>0
#       S000s>10100
#       S0000>ZGlyIGM6XHVzZXJz > dir c:\users
#       S0000>d2hvYW1pJmlwY29uZmlnIC9hbGw= > whoami&ipconfig /all
# Confidence: medium

alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC DNS tunneling via TXT RR Response detected"; flow:to_client; 
content:"|00 10 00 01|"; byte_test:1,=,7,6,relative; content:"N0000>0"; distance:7; fast_pattern; isdataat:!1,relative; 
metadata:ruleset community, service dns; reference:url,attack.mitre.org/wiki/Technique/T1094; 
classtype:trojan-activity; sid:8000307; rev:1;)

alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC DNS tunneling via TXT RR Response detected"; flow:to_client; 
content:"|00 10 00 01|"; byte_test:1,=,7,6,relative; content:"C0000>0"; distance:7; fast_pattern; isdataat:!1,relative; 
metadata:ruleset community, service dns; reference:url,attack.mitre.org/wiki/Technique/T1094; 
classtype:trojan-activity; sid:8000308; rev:1;)

alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC DNS tunneling via TXT RR Response detected"; flow:to_client; 
content:"|00 10 00 01|"; content:"S0000>"; distance:7; fast_pattern; ; metadata:ruleset community, service dns; 
reference:url,attack.mitre.org/wiki/Technique/T1094; classtype:trojan-activity; sid:8000309; rev:1;)

alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC DNS tunneling via TXT RR Response detected"; flow:to_client; 
content:"|00 10 00 01|"; content:"S000s>"; distance:7; fast_pattern; metadata:ruleset community, service dns; 
reference:url,attack.mitre.org/wiki/Technique/T1094; classtype:trojan-activity; sid:8000310; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!