Snort mailing list archives
Multiple signatures 013
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 27 Aug 2018 20:06:16 +0000
Hi, Yet another DNS tunneling sample and signatures below. Also adding signatures for CVE-2018-8414 in PDFs. Pcaps are available. Should have worked on these before forwarding 012. Sorry for the noise :). Thanks. YM # -------------------- # Date: 2018-08-27 # Title: CVE-2018-8414 Samples In The Wild # Reference: # - http://sketchymoose.blogspot.com/2018/08/cve-2018-8414-samples-in-wild.html # Hashes: # - 8efd5b60d6d60ebbee17c25936a246d06708759c11a059b3bc8216465fa44651 # - 52f53561f68b971cc327348f1746fca9413f904260a764f0d372cf5588ed1ace # Tests: pcap (file2pcap) # Confidence: medium # Notes: # 1. Signatures are only for the PDF transfer. Wasn't able to get a hold of the DOCX file. # 2. Each signature has a PCRE and NON-PCRE variant. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF with embedded SettingContent-ms file type download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".SettingContent-ms)"; fast_pattern:only; content:"stream"; within:1000; nocase; content:"<"; distance:0; nocase; pcre:"/<[\?xml\x20]/i"; metadata:ruleset community, service http; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:8000303; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF with embedded SettingContent-ms file type download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".exportDataObject("; content:".SettingContent-ms|22|"; fast_pattern:only; content:"nLaunch"; distance:0; metadata:ruleset community, service http; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:8000304; rev:1;) alert tcp any any -> any any (msg:"INDICATOR-COMPROMISE PDF with embedded SettingContent-ms file type download attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".SettingContent-ms)"; fast_pattern:only; content:"stream"; within:1000; nocase; content:"3c"; distance:0; nocase; pcre:"/3c[3f786d6c\x20]/i"; metadata:ruleset community, service smtp; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:8000305; rev:1;) alert tcp any any -> any any (msg:"INDICATOR-COMPROMISE PDF with embedded SettingContent-ms file type download attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".exportDataObject("; content:".SettingContent-ms|22|"; fast_pattern:only; content:"nLaunch"; distance:0; metadata:ruleset community, service smtp; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:8000306; rev:1;) # -------------------- # Date: 2018-08-27 # Title: C&C Commands via DNS TXT Tunneling # Tests: pcap # Reference: Research # Hashes: # - ab8599b16ea4a88190487b33c3cc5516f1d4274d3fc40323cdc3cfa441d0c4f1 # Notes: # 1. Unique commands: # N0000>0 # S000s>10110 # C0000>0 # S000s>10100 # S0000>ZGlyIGM6XHVzZXJz > dir c:\users # S0000>d2hvYW1pJmlwY29uZmlnIC9hbGw= > whoami&ipconfig /all # Confidence: medium alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC DNS tunneling via TXT RR Response detected"; flow:to_client; content:"|00 10 00 01|"; byte_test:1,=,7,6,relative; content:"N0000>0"; distance:7; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service dns; reference:url,attack.mitre.org/wiki/Technique/T1094; classtype:trojan-activity; sid:8000307; rev:1;) alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC DNS tunneling via TXT RR Response detected"; flow:to_client; content:"|00 10 00 01|"; byte_test:1,=,7,6,relative; content:"C0000>0"; distance:7; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service dns; reference:url,attack.mitre.org/wiki/Technique/T1094; classtype:trojan-activity; sid:8000308; rev:1;) alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC DNS tunneling via TXT RR Response detected"; flow:to_client; content:"|00 10 00 01|"; content:"S0000>"; distance:7; fast_pattern; ; metadata:ruleset community, service dns; reference:url,attack.mitre.org/wiki/Technique/T1094; classtype:trojan-activity; sid:8000309; rev:1;) alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC DNS tunneling via TXT RR Response detected"; flow:to_client; content:"|00 10 00 01|"; content:"S000s>"; distance:7; fast_pattern; metadata:ruleset community, service dns; reference:url,attack.mitre.org/wiki/Technique/T1094; classtype:trojan-activity; sid:8000310; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 013 Y M via Snort-sigs (Aug 27)