Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Koadic signatures

From: Matthew Mickel <mmickel () sourcefire com>
Date: Fri, 12 Jun 2020 10:52:48 -0400
Hi, Yaser-

Thanks for your submission.  We’ll test these rules and get back to you once we’ve finished.  Any PCAPs you can provide 
are greatly appreciated.  I hope that you are well.  Best,

Matt Mickel


On Jun 12, 2020, at 5:24 AM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote:

Hello,

Below signatures are for Koadic post-exploitation framework C&C. Looks something like: DOC | URL > Pull MSOLE2 
(embedded .BAT files) > Pull another .BAT file > C&C to Koadic server (HTML/JS) > Drop executable. PCAPs available.

Snort 2:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; 
flow:to_server,established; content:"encoder:"; http_header; content:"shellchcp:"; http_header; metadata:ruleset 
community, service http; reference:url,attack.mitre.org/software/S0250 <http://attack.mitre.org/software/S0250>; 
classtype:trojan-activity; sid:1000000; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; 
flow:to_server,established; content:"errdesc:"; http_header; content:"errno:"; http_header; content:"errname:"; 
http_header; content:"Referer:"; http_header; metadata:ruleset community, service http; 
reference:url,attack.mitre.org/software/S0250 <http://attack.mitre.org/software/S0250>; classtype:trojan-activity; 
sid:1000001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C download payload 
outbound connection"; flow:to_server,established; content:"X-UploadFileJob:"; fast_pattern:only; http_header; 
content:"Referer:"; http_header; pcre:"/X-UploadFileJob:\s(true|false)\x0d\x0a/H"; metadata:ruleset community, 
service http; reference:url,attack.mitre.org/software/S0250 <http://attack.mitre.org/software/S0250>; 
classtype:trojan-activity; sid:1000002; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; 
flow:to_server,established; content:"|5C|./mshtml,RunHTMLApplication"; fast_pattern:only; http_uri; content:"/html?"; 
metadata:ruleset community, service http; reference:url,attack.mitre.org/software/S0250 
<http://attack.mitre.org/software/S0250>; classtype:trojan-activity; sid:1000003; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; 
flow:to_server,established; content:"=stage|3B|"; http_uri; content:"/html?"; http_uri; content:"Referer:"; 
http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/software/S0250 
<http://attack.mitre.org/software/S0250>; classtype:trojan-activity; sid:1000004; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework Windows host information 
exfiltration"; flow:to_server,established; content:"~~~Windows"; http_client_body; content:"~~~AMD"; distance:0; 
http_client_body; content:"~~~C:|5C|Users"; distance:0; http_client_body; metadata:ruleset community, service http; 
reference:url,attack.mitre.org/software/S0250 <http://attack.mitre.org/software/S0250>; classtype:trojan-activity; 
sid:1000005; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Windows route information exfiltration"; 
flow:to_server,established; content:"Interface List"; http_client_body; content:"IPv4 Route Table"; http_client_body; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:1000006; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Windows accounts information exfiltration"; 
flow:to_server,established; content:"NT AUTHORITY|5C|"; http_client_body; content:"CONSOLE LOGON"; http_client_body; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:1000007; rev:1;)

Snort 3:

alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; 
flow:to_server,established; http_header; content:"encoder:"; content:"shellchcp:",fast_pattern; metadata:ruleset 
community; service:http; reference:url,attack.mitre.org/software/S0250 <http://attack.mitre.org/software/S0250>; 
classtype:trojan-activity; sid:1000000; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; 
flow:to_server,established; http_header; content:"errdesc:",fast_pattern; content:"errno:"; content:"errname:"; 
content:"Referer"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/software/S0250 
<http://attack.mitre.org/software/S0250>; classtype:trojan-activity; sid:1000001; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C download payload 
outbound connection"; flow:to_server,established; http_header; content:"X-UploadFileJob:",fast_pattern; 
content:"Referer:"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/software/S0250 
<http://attack.mitre.org/software/S0250>; classtype:trojan-activity; sid:1000002; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; 
flow:to_server,established; http_uri; content:"\./mshtml,RunHTMLApplication",fast_pattern; content:"/html?"; 
metadata:ruleset community; service:http; reference:url,attack.mitre.org/software/S0250 
<http://attack.mitre.org/software/S0250>; classtype:trojan-activity; sid:1000003; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework C&C outbound connection"; 
flow:to_server,established; http_uri; content:"=stage|3B|"; content:"/html?"; http_header; content:"Referer:"; 
metadata:ruleset community; service:http; reference:url,attack.mitre.org/software/S0250 
<http://attack.mitre.org/software/S0250>; classtype:trojan-activity; sid:1000004; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Koadic framework Windows host information 
exfiltration"; flow:to_server,established; http_client_body; content:"~~~Windows"; content:"~~~AMD",distance 0; 
content:"~~~C:\Users",distance 0; metadata:ruleset community; service:http; 
reference:url,attack.mitre.org/software/S0250 <http://attack.mitre.org/software/S0250>; classtype:trojan-activity; 
sid:1000005; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Windows route information exfiltraion"; 
flow:to_server,established; content:"Interface List"; content:"IPv4 Route Table"; metadata:ruleset community; 
service:http; classtype:trojan-activity; sid:1000006; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Windows User and Groups information 
exfiltration"; flow:to_server,established; content:"NT AUTHORITY|5C|"; content:"CONSOLE LOGON"; metadata:ruleset 
community; service:http; classtype:trojan-activity; sid:1000007; rev:1; )

Thank you.
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>

Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
<https://snort.org/faq/what-is-the-mailing-list-etiquette>

Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
catch the most <a href=" https://snort.org/downloads/#rule-downloads 
<https://snort.org/downloads/#rule-downloads>">emerging threats</a>!



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: