Re: [Emerging-Sigs] New C2 Framework NorthStar Rules

[Jason Taylor via Snort-sigs <snort-sigs () lists snort org>]

Hi Hasan!

I just wanted to follow up and let you know that these are the rules
that we put in for QA and will go out with the rule push today.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
NORTHSTAR Client CnC Checkin"; flow:established,to_server;
http.method; content:"GET"; http.uri; content:"/smanage.php?sid=";
startswith; fast_pattern;
pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R";
http.header_names; content:!"Referer"; content:!"User-Agent";
reference:url,github.com/EnginDemirbilek/NorthStarC2/;
classtype:command-and-control; sid:11; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
NORTHSTAR Client Data POST"; flow:established,to_server; http.method;
content:"POST"; http.uri; content:"/getjuice.php"; bsize:13;
fast_pattern; http.content_type; content:"multipart/form-data|3b|
boundary=---------------------"; startswith; http.header; content:"|0d
0a|Expect|3a 20|100-continue|0d 0a|"; http.header_names;
content:!"Referer"; content:!"User-Agent";
reference:url,github.com/EnginDemirbilek/NorthStarC2/;
classtype:trojan-activity; sid:12; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
NORTHSTAR Interactive Client CnC"; flow:established,to_server;
http.method; content:"GET"; http.uri; content:"/interact.php?slave=";
startswith; fast_pattern; content:"&sid="; distance:0;
pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R";
http.referer; content:"clients.php"; endswith;
reference:url,github.com/EnginDemirbilek/NorthStarC2/;
classtype:command-and-control; sid:13; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
NORTHSTAR Command Sent to Client"; flow:established,to_server;
http.method; content:"POST"; http.uri;
content:"setCommand.nonfunction.php"; fast_pattern; endswith;
http.referer; content:"interact.php?slave="; content:"&sid=";
distance:0; http.request_body; content:"slave="; startswith;
content:"&command="; distance:0; content:"&sid="; distance:0;
content:"&token="; distance:0;
reference:url,github.com/EnginDemirbilek/NorthStarC2/;
classtype:command-and-control; sid:14; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
NORTHSTAR Command Response"; flow:established,to_server; http.method;
content:"GET"; http.uri; content:"/getresponse.php?slave=";
startswith; fast_pattern;
pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R";
http.referer; content:"interact.php?slave="; content:"&sid=";
distance:0; reference:url,github.com/EnginDemirbilek/NorthStarC2/;
classtype:command-and-control; sid:15; rev:1;)

We basically just updated the signatures you sent over for Suricata
keywords (there are Snort versions of each of these rules as well I
just picked the Suricata 5.x versions). We also found additional
signature opportunities in the pcap you sent over so we added those
rules. We also made some minor performance related tweaks so these
will run well across all the Suricata/Snort engines.

This was great work, thank you very much for submitting!

We always appreciate rule and pcap submissions, as always feel free to
send any questions about signatures/pcap/etc. and we will do our best
to answer them!

JT

On Tue, May 19, 2020 at 7:12 AM Jason Taylor
<jastaylor () emergingthreats net> wrote:
> Hi Hasan!
>
> Thank you for the submission. We will take a look and get something
> into QA for today.
>
> JT
>
> On Mon, May 18, 2020 at 8:22 PM hasan ekin dumanogullari
> <ekinduman73 () gmail com> wrote:
> > Greetings!
> >
> > A friend of mine recently released a new open-source command & control framework named "NorthStar", so i wanted to 
> > be the first one to submit new rules :)
> >
> > These rules should be enough for hunting default installations of NorthStar C2
> > You can learn more about the architecture here :
> > https://github.com/EnginDemirbilek/NorthStarC2/wiki/Architecture
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise, NorthStar C2 Connection"; 
> > flow:established,to_server; content"POST"; http_method; content:"/getjuice.php"; http_uri 
> > classtype:trojan-activity; $id;x; rev:1;}
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise, NorthStar C2 Connection"; 
> > flow:established,to_server; content"POST"; http_method; content:"/smanage.php"; http_uri classtype:trojan-activity; 
> > $id;100000001; rev:1;}
> >
> > When the stager receives commands from the server it returns output to http://c2server/smanage.php
> >
> > If that command is downloading a file from the compromised machine, then a POST request is made to 
> > http://c2server/getjuice.php
> >
> >
> > Also pcap included where
> > NorthStar C2 only communicates via HTTP or HTTPS so i strongly suggest using http.request fiter on wireshark
> >
> > 192.168.0.24 -> C2 Machine
> > 192.168.0.26 -> Victim computer
> >
> > This is my first time submitting so sorry for the issues :)
> >
> > Author : Hasan Ekin Dumanoğulları
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs () lists emergingthreats net
> > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!