[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] Sigs for DoublePulsar based on honeypot traffic
From: James Emery-Callcott <jcallcott () emergingthreats ! net>
Date: 2017-09-25 22:30:54
Message-ID: CAMAH=Zi7iuVPv1gSN0fhNPJd_GoO1t_S0G=QdgCdFWOU4QKrnQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks!
We'll take a look at this and run it through QA.
On Mon, Sep 25, 2017 at 6:09 PM, Attack Detection <
attackdetectionteam@gmail.com> wrote:
> We see a lot of incoming SMB traffic on port 445 on our honeypots.
> Analysis showed that these are attempts to communicate with DoublePulsar
> backdoor and they are not detected by existing rules.
>
> Here is a pcap: https://packettotal.com/cgi-bin/view-analysis.cgi?id=
> 1e02785c87baeb4db054f417eba05370
>
> And rule for detection:
> alert tcp any any -> $HOME_NET 445 (msg: "[PTsecurity] DoublePulsar
> Backdoor installation (with EternalBlue) or communication"; flow:
> to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset:
> 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre:
> "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/";
> flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url,
> reference:url,github.com/ptresearch/AttackDetection; classtype:
> attempted-admin; sid: 10001254; rev: 3;)
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
--
*James Emery-Callcott*
Security Researcher
[Attachment #5 (text/html)]
<div dir="ltr">Thanks!<div><br></div><div>We'll take a look at this and run it \
through QA.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, \
Sep 25, 2017 at 6:09 PM, Attack Detection <span dir="ltr"><<a \
href="mailto:attackdetectionteam@gmail.com" \
target="_blank">attackdetectionteam@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div>We see a lot of incoming SMB traffic on \
port 445 on our honeypots. Analysis showed that these are attempts to communicate \
with DoublePulsar backdoor and they are not detected by existing \
rules.</div><div><br></div><div>Here is a pcap: <a \
href="https://packettotal.com/cgi-bin/view-analysis.cgi?id=1e02785c87baeb4db054f417eba05370" \
target="_blank">https://packettotal.com/<wbr>cgi-bin/view-analysis.cgi?id=<wbr>1e02785c87baeb4db054f417eba053<wbr>70</a></div><div><br></div><div>And \
rule for detection: </div><table class="m_1902318974029716528gmail-highlight \
m_1902318974029716528gmail-tab-size \
m_1902318974029716528gmail-js-file-line-container" \
style="box-sizing:border-box;border-collapse:collapse;color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe \
UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI \
Emoji","Segoe UI Symbol";font-size:14px"><tbody \
style="box-sizing:border-box"><tr style="box-sizing:border-box"></tr><tr \
style="box-sizing:border-box"><td id="m_1902318974029716528gmail-LC1" \
class="m_1902318974029716528gmail-blob-code \
m_1902318974029716528gmail-blob-code-inner m_1902318974029716528gmail-js-file-line" \
style="box-sizing:border-box;padding:0px \
10px;line-height:20px;vertical-align:top;overflow:visible;font-family:SFMono-Regular,Consolas,"Liberation \
Mono",Menlo,Courier,monospace;font-size:12px;word-wrap:normal;white-space:pre-wrap">alert \
tcp any any -> $HOME_NET 445 (msg: "[PTsecurity] DoublePulsar Backdoor \
installation (with EternalBlue) or communication"; flow: to_server, established; \
content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, \
0x0008, 52, relative, little; pcre: \
"/\xFFSMB2\x00\x00\x00\x00.{<wbr>52}(?:\x04|\x09|\x0A|\x0B|\<wbr>x0C|\x0E|\x11)\x00/"; \
flowbits: set, SMB.Trans2.SubCommand.<wbr>Unimplemented; reference: url, \
reference:url,<a href="http://github.com/ptresearch/AttackDetection" \
target="_blank">github.com/<wbr>ptresearch/AttackDetection</a>; classtype: \
attempted-admin; sid: 10001254; rev: 3;)</td></tr><tr \
style="box-sizing:border-box"><td id="m_1902318974029716528gmail-L2" \
class="m_1902318974029716528gmail-blob-num m_1902318974029716528gmail-js-line-number" \
style="box-sizing:border-box;padding:0px \
10px;width:50px;min-width:50px;font-family:SFMono-Regular,Consolas,"Liberation \
Mono",Menlo,Courier,monospace;font-size:12px;line-height:20px;color:rgba(27,31,35 \
,0.3);text-align:right;white-space:nowrap;vertical-align:top"></td></tr></tbody></table></div>
<br>______________________________<wbr>_________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.<wbr>emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
rel="noreferrer" target="_blank">https://lists.emergingthreats.<wbr>net/mailman/listinfo/emerging-<wbr>sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" rel="noreferrer" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div \
dir="ltr"><div><b style="font-size:12.8px">James \
Emery-Callcott</b><br></div><div>Security Researcher</div></div></div></div></div> \
</div>
[Attachment #6 (text/plain)]
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic