[Snort-sigs] Win.Trojan.WannaMine

Y M snort at outlook.com
Mon Feb 19 13:24:49 EST 2018


Hi,


Below rules are for detecting WannaMine C&C (excluding lateral movement), and file identity detection for PowerShell scripts. Pcap is available.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WannaMine outbound connection attempt"; flow:to_server,established; content:"GET"; content:"/api.php?data="; fast_pattern:only; http_uri; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine; reference:url,https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280; classtype:trojan-activity; sid:9000032; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WannaMine outbound connection attempt"; flow:to_server,established; content:"GET"; content:"/api.php?data="; fast_pattern:only; http_uri; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine; reference:url,https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280; classtype:trojan-activity; sid:9000033; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTITY Microsoft PowerShell script file download request"; flow:to_server,established; content:"GET"; http_method; content:".ps1"; fast_pattern:only; http_uri; pcre:"/\x2eps1([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pwsh; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:9000034; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potential character manipulation in PowerShell script"; flow:to_client,established; file_data; content:"-split"; nocase; content:"foreach"; nocase; content:"convert"; nocase; content:"char"; nocase; content:"toint"; nocase; content:"tostring"; nocase; content:"set-item"; nocase; flowbits:isset,file.pwsh; metadata:ruleset community, service http; classtype:misc-activity; sid:9000035; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potenital character manipulation in PowerShell script"; flow:to_client,established; file_data; content:"foreach"; nocase; content:"convert"; nocase; content:"char"; nocase; content:"toint"; nocase; content:"tostring"; nocase; content:"set-item"; nocase; flowbits:isset,file.pwsh; metadata:ruleset community, service http; classtype:misc-activity; sid:9000036; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft PowerShell script file attachment detected"; flow:to_server,established; content:".ps1"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eps1/i"; flowbits:set,file.pwsh; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:9000037; rev:1;)

Thanks.
YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180219/1ace489f/attachment.html>


More information about the Snort-sigs mailing list