[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Rule for rule developers. (Zeus/Chthonic)
From: attackdetectionteam <attackdetectionteam () gmail ! com>
Date: 2017-09-20 9:38:00
Message-ID: 8be061ef-278d-0435-1e19-d1c068539450 () gmail ! com
[Download RAW message or body]
Good day.
A message for those who have sandboxes and who are developing
rules. How do you look at detecting content modifications using
non-content rules? That is, based on the triggering of rules that can
not be put on a real-time sensor, write modifications of faster rules
ready for high loads and containing content.
For example, there is a rule that allows you to detect a
Zeus/Chthonic payload. It matches the connection in which there is an
URI request that changes from time to time.
Beacon x:
/home/
Beacon x+1:
/a/
New Beacon :
/meta/
In the same way, you can extract various compromise indicators.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET TROJAN
[PTsecurity] Zeus/Chthonic Payload (developers rule)";flow: established,
to_client;content:"200";http_stat_code; content:"Content-type:
text/html"; nocase; http_header; content: "X-Powered-By: PHP"; nocase;
http_header; file_data;content:!"MZ"; depth:20;byte_extract: 4, 992,
byte0;byte_extract: 4, 996, byte1;byte_extract: 4, 1000,
byte2;byte_extract: 4, 1004, byte3;byte_test: 4, !=,byte0,
993;byte_test: 4, !=,byte0, 994;byte_test: 4, !=,byte0, 995;byte_test:
4, !=,byte0, 996;byte_test: 4, !=,byte0, 997;byte_test: 4, !=,byte0,
998;byte_test: 4, !=,byte0, 999;byte_test: 4, !=,byte0, 1000;byte_test:
4, =,byte0, 1008;byte_test: 4, =,byte1, 1012;byte_test: 4, =,byte2,
1016;byte_test: 4, =,byte3, 1020;pcre:"/[\x0e-\x19]{2}/"; sid:
10000377;rev: 9;)
Beacons that match the rule for developers:
2017584 ET TROJAN Chthonic Checkin
2809653 ETPRO TROJAN Chthonic CnC Beacon 2
2810944 ETPRO TROJAN Chthonic CnC Beacon 4
2810099 ETPRO TROJAN Chthonic CnC Beacon 7
2811901 ETPRO TROJAN Chthonic CnC Beacon 8
2827282 ETPRO TROJAN Chthonic CnC Beacon 9
PCAP with new beacon:
https://www.dropbox.com/sh/mt72fig7oe09nqm/AAAj6AhvdDtE0kH1xJdboWbra?dl=0
Best regards.
John.
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic