[Snort-sigs] Win.Trojan.WannaMine

Phillip Lee phillile at sourcefire.com
Tue Feb 20 07:14:08 EST 2018


Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Can you send along the pcaps that you have? 

Regards,
Phil Lee
Cisco Talos

> On Feb 19, 2018, at 1:24 PM, Y M via Snort-sigs <snort-sigs at lists.snort.org> wrote:
> 
> Hi,
> 
> Below rules are for detecting WannaMine C&C (excluding lateral movement), and file identity detection for PowerShell scripts. Pcap is available.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WannaMine outbound connection attempt"; flow:to_server,established; content:"GET"; content:"/api.php?data="; fast_pattern:only; http_uri; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine <http://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine>; reference:url,https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280 <https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280>; classtype:trojan-activity; sid:9000032; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WannaMine outbound connection attempt"; flow:to_server,established; content:"GET"; content:"/api.php?data="; fast_pattern:only; http_uri; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine <http://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/WannaMine>; reference:url,https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280 <https://otx.alienvault.com/pulse/5a7c5b0a6aefb6060f33f280>; classtype:trojan-activity; sid:9000033; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTITY Microsoft PowerShell script file download request"; flow:to_server,established; content:"GET"; http_method; content:".ps1"; fast_pattern:only; http_uri; pcre:"/\x2eps1([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pwsh; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:9000034; rev:1;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potential character manipulation in PowerShell script"; flow:to_client,established; file_data; content:"-split"; nocase; content:"foreach"; nocase; content:"convert"; nocase; content:"char"; nocase; content:"toint"; nocase; content:"tostring"; nocase; content:"set-item"; nocase; flowbits:isset,file.pwsh; metadata:ruleset community, service http; classtype:misc-activity; sid:9000035; rev:1;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potenital character manipulation in PowerShell script"; flow:to_client,established; file_data; content:"foreach"; nocase; content:"convert"; nocase; content:"char"; nocase; content:"toint"; nocase; content:"tostring"; nocase; content:"set-item"; nocase; flowbits:isset,file.pwsh; metadata:ruleset community, service http; classtype:misc-activity; sid:9000036; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft PowerShell script file attachment detected"; flow:to_server,established; content:".ps1"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eps1/i"; flowbits:set,file.pwsh; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:9000037; rev:1;)
> 
> Thanks.
> YM
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org <mailto:Snort-sigs at lists.snort.org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
> 
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
> 
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180220/b4ed79a8/attachment-0001.html>


More information about the Snort-sigs mailing list