[Snort-sigs] RAT sigs from CrowdStrike Report

Y M snort at ...3751...
Wed Jul 16 16:05:37 EDT 2014


So as soon as started reading the CrowdStrike report (http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf) I tried writing sigs for what's in the report, only to find out later that it had the sigs written already (face-palm). Lesson of the day: RTFM.
Not sure if these are already in the current ruleset.

Here is my shot at it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.4HRAT beacon request"; flow:to_server,established; content:"/search?"; http_uri; pcre:"/\/search[0-9]{5}?/"; fast_pattern:only; content:"h1="; http_uri; content:"&h2="; http_uri; content:"&h3="; http_uri; content:"&h4="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; classtype:trojan-activity; sid:100234; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT initial beacon request"; flow:to_server,established; content:"GET"; http_method; content:"/default/connect.aspx?"; http_uri; fast_pattern:only; content:"ID="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 20|; http_header; content:!"Content-Length|3A 20|; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; classtype:trojan-activity; sid:100235; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT C2 registration"; flow:to_server, established; content:"POST"; http_method; content:"/default/connect.aspx?"; http_uri; fast_pattern:only; content:"ID="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 20|; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; classtype:trojan-activity; sid:100236; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT task request"; flow:to_server,established; content:"/getupdate/default.aspx?ID="; http_uri; pcre:"/\x3agetupdate\x3adefault\x2easp\x3fID=[0-9]{5}para1=\x2d[0-9]{8,10}para2=\x2d[0-9]{8-10}para3=\x2d[0-9]{2}/"; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; classtype:trojan-activity; sid:100237; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT beacon request"; flow:to_server,established; content:"/MicrosoftUpdate/ShellEX/KB"; pcre:"/\x3aMicrosoftUpdate\x3aShellEX\x3aKB[0-9]{7}\x3adefault\x2easpx\x3ftmp=/" http_uri; fast_pattern:only;  content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; classtype:trojan-activity; sid:100238; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT C2 request"; flow:to_server,established; content:"/Microsoft/errorpost"; pcre:"/\x3aMicrosoft\x3aerrorpost[0-9]{7}\x3adefault\x2easpx\x3ftmp=/" http_uri; fast_pattern:only;  content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; classtype:trojan-activity; sid:100239; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT C2 request"; flow:to_server,established; content:"/MicrosoftUpdate/GetUpdate/KB"; pcre:"/\x3aMicrosoftUpdate\x3aGetUpdate\x3aKB[0-9]{7}\x3adefault\x2easpx\x3ftmp=/" http_uri; fast_pattern:only;  content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; classtype:trojan-activity; sid:100240; rev:1;)
I guess some signatures can be made more generic.
YM 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140716/b6ff4d98/attachment.html>


More information about the Snort-sigs mailing list