[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Rule for rule developers. (Zeus/Chthonic)
From:       attackdetectionteam <attackdetectionteam () gmail ! com>
Date:       2017-09-20 9:38:00
Message-ID: 8be061ef-278d-0435-1e19-d1c068539450 () gmail ! com
[Download RAW message or body]

Good day.
     A message for those who have sandboxes and who are developing 
rules. How do you look at detecting content modifications using 
non-content rules? That is, based on the triggering of rules that can 
not be put on a real-time sensor, write modifications of faster rules 
ready for high loads and containing content.

     For example, there is a rule that allows you to detect a 
Zeus/Chthonic payload. It matches the connection in which there is an 
URI request that changes from time to time.

Beacon x:
/home/

Beacon x+1:
/a/

New Beacon :
/meta/

In the same way, you can extract various compromise indicators.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET TROJAN 
[PTsecurity] Zeus/Chthonic Payload (developers rule)";flow: established, 
to_client;content:"200";http_stat_code; content:"Content-type: 
text/html"; nocase; http_header; content: "X-Powered-By: PHP"; nocase; 
http_header; file_data;content:!"MZ"; depth:20;byte_extract: 4, 992, 
byte0;byte_extract: 4, 996, byte1;byte_extract: 4, 1000, 
byte2;byte_extract: 4, 1004, byte3;byte_test: 4, !=,byte0, 
993;byte_test: 4, !=,byte0, 994;byte_test: 4, !=,byte0, 995;byte_test: 
4, !=,byte0, 996;byte_test: 4, !=,byte0, 997;byte_test: 4, !=,byte0, 
998;byte_test: 4, !=,byte0, 999;byte_test: 4, !=,byte0, 1000;byte_test: 
4, =,byte0, 1008;byte_test: 4, =,byte1, 1012;byte_test: 4, =,byte2, 
1016;byte_test: 4, =,byte3, 1020;pcre:"/[\x0e-\x19]{2}/"; sid: 
10000377;rev: 9;)

Beacons that match the rule for developers:

2017584 ET TROJAN Chthonic Checkin
2809653 ETPRO TROJAN Chthonic CnC Beacon 2
2810944 ETPRO TROJAN Chthonic CnC Beacon 4
2810099 ETPRO TROJAN Chthonic CnC Beacon 7
2811901 ETPRO TROJAN Chthonic CnC Beacon 8
2827282 ETPRO TROJAN Chthonic CnC Beacon 9


PCAP with new beacon:
https://www.dropbox.com/sh/mt72fig7oe09nqm/AAAj6AhvdDtE0kH1xJdboWbra?dl=0

Best regards.
John.

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net


[prev in list] [next in list] [prev in thread] [next in thread]