Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Specific Office UAs with short URLs

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 25 May 2018 19:22:03 +0000
Hi,

I have noticed this behavior with malicious documents to retrieve the next stage payload using the 'HEAD' and 'OPTIONS' 
http methods, with very short URLs, and in some cases shortened URLs, including the Ammyy RAT rule sent earlier. 
Admittedly, the rules maybe prone to FPs. A larger scale testing would be nice. Pcaps are available.

# --------------------
# Date: 2018-05-16
# Title: Unexpected Office Network Traffic
# Reference: 
https://www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection, 
app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df
# Tests: pcap

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office user-agent in HTTP 
request to shortened URL"; flow:to_server,established; urilen:<10; content:"OPTIONS"; http_method; content:"User-Agent: 
Microsoft Office "; fast_pattern:only; http_header; content:!"Accept"; http_header; 
pcre:"/User-Agent\x3a\sMicrosoft\sOffice\s(Protocol|Existence)\sDiscovery\x0d\x0a/H"; metadata:ruleset community, 
service http; 
reference:url,www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection; 
reference:url,app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df; classtype:misc-activity; sid:8000055; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office user-agent in HTTP 
request to shortened URL"; flow:to_server,established; urilen:<10; content:"HEAD"; http_method; content:"User-Agent: 
Microsoft Office "; fast_pattern:only; http_header; content:!"Accept"; http_header; content:!"Content-"; http_header; 
pcre:"/User-Agent\x3a\sMicrosoft\sOffice\s(Protocol|Existence)\sDiscovery\x0d\x0a/H"; metadata:ruleset community, 
service http; 
reference:url,www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection; 
reference:url,app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df; classtype:misc-activity; sid:8000056; rev:2;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: