New C2 Framework NorthStar Rules

[hasan ekin dumanogullari via Snort-sigs <snort-sigs () lists snort org>]

Greetings!

A friend of mine recently released a new open-source command & control
framework named "NorthStar", so i wanted to be the first one to submit new
rules :)

These rules should be enough for hunting default installations of NorthStar
C2
You can learn more about the architecture here :
https://github.com/EnginDemirbilek/NorthStarC2/wiki/Architecture

alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise,
NorthStar C2 Connection"; flow:established,to_server; content"POST";
http_method; content:"/getjuice.php"; http_uri classtype:trojan-activity;
$id;x; rev:1;}

alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise,
NorthStar C2 Connection"; flow:established,to_server; content"POST";
http_method; content:"/smanage.php"; http_uri classtype:trojan-activity;
$id;100000001; rev:1;}

When the stager receives commands from the server it returns output to
http://c2server/smanage.php

If that command is downloading a file from the compromised machine, then a
POST request is made to http://c2server/getjuice.php


Also pcap included where
NorthStar C2 only communicates via HTTP or HTTPS so i strongly suggest
using http.request fiter on wireshark

192.168.0.24 -> C2 Machine
192.168.0.26 -> Victim computer

This is my first time submitting so sorry for the issues :)

Author : Hasan Ekin Dumanoğulları

Attachment: northc2.pcap
Description:

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!