[Snort-sigs] Specific Office UAs with short URLs

Y M snort at outlook.com
Fri May 25 15:22:03 EDT 2018


Hi,

I have noticed this behavior with malicious documents to retrieve the next stage payload using the 'HEAD' and 'OPTIONS' http methods, with very short URLs, and in some cases shortened URLs, including the Ammyy RAT rule sent earlier. Admittedly, the rules maybe prone to FPs. A larger scale testing would be nice. Pcaps are available.

# --------------------
# Date: 2018-05-16
# Title: Unexpected Office Network Traffic
# Reference: https://www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection, app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df
# Tests: pcap

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office user-agent in HTTP request to shortened URL"; flow:to_server,established; urilen:<10; content:"OPTIONS"; http_method; content:"User-Agent: Microsoft Office "; fast_pattern:only; http_header; content:!"Accept"; http_header; pcre:"/User-Agent\x3a\sMicrosoft\sOffice\s(Protocol|Existence)\sDiscovery\x0d\x0a/H"; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection; reference:url,app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df; classtype:misc-activity; sid:8000055; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office user-agent in HTTP request to shortened URL"; flow:to_server,established; urilen:<10; content:"HEAD"; http_method; content:"User-Agent: Microsoft Office "; fast_pattern:only; http_header; content:!"Accept"; http_header; content:!"Content-"; http_header; pcre:"/User-Agent\x3a\sMicrosoft\sOffice\s(Protocol|Existence)\sDiscovery\x0d\x0a/H"; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection; reference:url,app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df; classtype:misc-activity; sid:8000056; rev:2;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180525/c75e6d9a/attachment-0001.html>


More information about the Snort-sigs mailing list