-
Notifications
You must be signed in to change notification settings - Fork 1
/
PAW-PATRULES_MALWARES.rules
143 lines (143 loc) Β· 65.6 KB
/
PAW-PATRULES_MALWARES.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# KXK00OOkxxkO00KX0
# ,NXKxo:,'... ...';cdOXN:
# l;. ..,:ldxkOOOOOOkkxol:,.. .o
# dk lOOOOOOkkkkkkkkkkkOOOOOOx dk
# KNXOc. :0OkkkkkkkkkkkkkkkkkkkkkO0l. :kXNX
# x. .'ckOOkkkkkkkkkkkookkkkkkkkkkOOOl,. .k
# d. o0Okkkkkkkkkkkkk. okkkkkkkkkkOO0k x
# l. c0kkkkkkko. .ckk .kd..'xkkkkkk0x .o
# ;, ;0kkkkkkkc ;ko. .dk. :kkkkkk0l ':
# .l .OOkkkkkkkl. .lkocldkkl. 'xkkkkkOO, c.
# l o0kkkk:..'dkkk. .;okkkkkkkkk0x l
# .: .OOkkk; xk, .:kkkkkO0; ;.
# ;. :0kkkko;,cko :kkkk0d .:
# : oOkkkkkkkk .dkkk0k. :
# : dOkkkkkkk .:odxkkkkkOk. ;
# ; oOkkkkkkx:,,ckkkkkkkkkkOx. ,
# '. ;OOkkkkkkkkkkkkkkkkkOOc '
# ' .lOOkkkkkkkkkkkkkOOd. .
# . .lOOkkkkkkkkkOOo' ..
# ' .;dOOOkOOOx:. .
# .. .,lxo;. ..
# .. ..
#
# ____ ___ __ ____ _ _
#| _ \ / \ \ / / | _ \ __ _| |_ _ __ _ _| | ___ ___
#| |_) / _ \ \ /\ / / | |_) / _` | __| '__| | | | |/ _ \/ __|
#| __/ ___ \ V V / | __/ (_| | |_| | | |_| | | __/\__ \
#|_| /_/ \_\_/\_/ |_| \__,_|\__|_| \__,_|_|\___||___/
#
# IDS Rules for Suricata
# π Charles BLANC-ROLIN β ΅ - https://pawpatrules.fr - https://www.apssis.com - https://github.com/woundride
# Licence CC BY-NC-SA 4.0 : https://creativecommons.org/licenses/by-nc-sa/4.0/
# Malwares π₯
### Certificats TLS ###
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate : CN=localhost"; flow:to_client, stateless; tls.cert_subject; content:"CN=localhost"; nocase; metadata:created_at 2021_05_14, updated_at 2022_12_03; sid:3300653; rev:5; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - π Possible IceID C2 - Conti π Ransomware"; flow:to_client, stateless; tls.cert_subject; content:"CN=localhost"; nocase; content:"L=AU"; content:"ST=Some-State"; nocase; content:"O=Internet Widgits Pty Ltd"; fast_pattern; nocase; reference: url,https://thedfirreport.com/2021/05/12/conti-ransomware/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.conti; metadata:created_at 2021_05_14, updated_at 2022_12_03; sid:3300654; rev:5; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Certificat TLS suspect - π Possible IceID C2- Sodinokibi π Ransomware"; flow:to_client, stateless; tls.cert_subject; content:"CN=localhost"; nocase; content:"O=Internet Widgits Pty Ltd"; nocase; tls.cert_issuer; content:"O=Internet Widgits Pty Ltd"; fast_pattern; nocase; reference: url,https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.revil; metadata:created_at 2021_05_14, updated_at 2022_12_03; sid:3300655; rev:5; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TSL Certificate : CN=testexp"; flow:to_client, stateless; tls.cert_subject; content:"CN=testexp"; nocase; metadata:created_at 2021_09_08, updated_at 2022_12_03; sid:3300656; rev:2; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS certificate : CN=server.domain.com"; flow:to_client, stateless; tls.cert_subject; content:"CN=server.domain.com"; nocase; metadata:created_at 2021_07_29, updated_at 2022_12_03; sid:3300657; rev:3; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate : CN=example.com"; flow:to_client, stateless; tls.cert_subject; content:"CN=example.com"; nocase; metadata:created_at 2021_11_24, updated_at 2022_12_03; sid:3300658; rev:2; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible Emotet πΏ C2 Server"; flow:to_client, stateless; tls.cert_subject; content:"CN=example.com"; nocase; content:"L=London"; content:"ST=London"; content:"O=Global Security"; fast_pattern; content:"C=GB"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet; metadata:created_at 2021_11_24, updated_at 2022_12_03; sid:3300659; rev:5; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate : CN=localhost"; flow:to_client, stateless; tls.cert_subject; content:"CN=localhost"; nocase; metadata:created_at 2022_02_15, updated_at 2022_12_03; sid:3300660; rev:2; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible malicious server linked to BlackByte Ransomware π"; flow:to_client, stateless; tls.cert_subject; content:"CN=BitTorrent"; nocase; content:"L=San Francisco"; fast_pattern; content:"ST=CA"; content:"O=BitTorrent"; content:"C=US"; reference: url,https://www.ic3.gov/Media/News/2022/220211.pdf; reference: url,https://www.shodan.io/search?query=ssl%3ACN%3DBitTorrent; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte; metadata:created_at 2022_02_15, updated_at 2022_12_03; sid:3300661; rev:2; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .mobi TLD in issuer informations - Possible Qbot πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*mobi/"; content:".mobi"; endswith; content:!"CN=www."; tls.cert_subject; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*net/"; content:".net"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot; metadata:created_at 2022_03_24, updated_at 2023_06_26; sid:3300662; rev:2; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .net TLD in issuer informations - Possible Qbot πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:!"CN=Entrust.net"; content:!"CN=SECOM Trust.net"; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*net/"; content:".net"; endswith; content:!"CN=www."; tls.cert_subject; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*net/"; content:".net"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot; reference: url,https://ccadb-public.secure.force.com/mozilla/PublicAllIntermediateCerts; metadata:created_at 2022_03_24, updated_at 2023_06_26; sid:3300663; rev:3; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .org TLD in issuer informations - Possible Qbot πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*org/"; content:".org"; endswith; content:!"CN=www."; tls.cert_subject; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*org/"; content:".org"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot; metadata:created_at 2022_03_24, updated_at 2023_06_26; sid:3300664; rev:2; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .biz TLD in issuer informations - Possible Qbot πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*biz/"; content:".biz"; endswith; content:!"CN=www."; tls.cert_subject; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*biz/"; content:".biz"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot; metadata:created_at 2022_03_24, updated_at 2023_06_26; sid:3300665; rev:2; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .com TLD in issuer informations - Possible Qbot πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*com/"; content:".com"; endswith; content:!"CN=www."; content:!"CN=4fastssl.com"; content:!"CN=SSL.com"; content:!"CN=Izenpe.com"; content:!"CN=SSLs.com"; content:!"CN=example.com"; fast_pattern; tls.cert_subject; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*com/"; content:".com"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot; reference:url,https://www.torproject.org/; metadata:created_at 2023_06_26, updated_at 2023_06_23; sid:3300666; rev:11; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .info TLD in issuer informations - Possible Qbot πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*info/"; content:".info"; endswith; content:!"CN=www."; tls.cert_subject; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*info/"; content:".info"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot; reference: url,https://ccadb-public.secure.force.com/mozilla/PublicAllIntermediateCerts; metadata:created_at 2022_11_22, updated_at 2023_06_26; sid:3300667; rev:2; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .us TLD in issuer informations - Possible Qbot πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*us/"; content:".us"; endswith; content:!"CN=www."; tls.cert_subject; content:"C="; startswith; pcre:"/CN=[a-z0-9]{1,}.*us/"; content:".us"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot; reference: url,https://ccadb-public.secure.force.com/mozilla/PublicAllIntermediateCerts; metadata:created_at 2023_02_10, updated_at 2023_06_26; sid:3300668; rev:2; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Default CapRover Open Source PaaS TLS Certificate - Possible BazarLoader πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:"[email protected]"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot; metadata:created_at 2022_03_24, updated_at 2022_05_20; sid:3300669; rev:2; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Known π΄ββ οΈ TLS Certificate π observed on Trickbot πΏ C2 Server"; flow:established,to_client; tls.cert_serial; content:"97:c0:f9:19:7b:53:2a:9c"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot; metadata:created_at 2022_04_02, updated_at 2022_09_23; sid:3300670; rev:3; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious OpenSSL demo TLS Certificate with the same informations in subject and issuer including > Internet Widgits Pty Ltd - Possible Trickbot or BumbleBee πΏ C2 Server"; flow:established,to_client; tls.cert_subject; content:"C=AU"; content:"ST=Some-State"; content:"O=Internet Widgits Pty Ltd"; tls.cert_issuer; content:"C=AU"; content:"ST=Some-State"; content:"O=Internet Widgits Pty Ltd"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee; metadata:created_at 2022_04_02, updated_at 2022_12_06; sid:3300671; rev:3; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .club TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".club"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300672; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .pm TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".pm"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300673; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .design TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".design"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300674; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .af TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".af"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300675; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .im TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".im"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300676; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .gifts TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".gifts"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300677; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .lr TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".lr"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300678; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .gdn TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".gdn"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300679; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .gw TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".gw"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300680; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .tp TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".tp"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300681; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .chase TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".chase"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300682; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .commbank TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".commbank"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300683; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .statefarm TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".statefarm"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300684; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .foundation TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".foundation"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300685; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate including .ngo TLD in issuer informations - Possible Dridex πΏ C2 Server"; flow:established,to_client; tls.cert_issuer; content:".ngo"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex; metadata:created_at 2022_04_02, updated_at 2022_04_02; sid:3300686; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Fake GMail TLS Certificate"; flow:to_client, stateless; tls.cert_subject; content:"CN=gmail.com"; content:"O=Google GMail"; fast_pattern; tls.cert_issuer; content:"O=Google GMail"; reference: url,https://thedfirreport.com/2022/04/25/quantum-ransomware/; metadata:created_at 2022_06_28, updated_at 2022_12_04; sid:3300687; rev:2; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Self signed TLS Certificate + JA3S seen in Windows 10 πͺ compromised by Emotet πΏ"; flow:to_client, stateless; tls.cert_subject; content:"CN=example.com"; nocase; content:"L=London"; content:"ST=London"; content:"O=Global Security"; fast_pattern; content:"C=GB"; ja3s.hash; content:"70999de61602be74d4b25185843bd18e"; tls.cert_issuer; content:"CN=example.com"; nocase; content:"L=London"; content:"ST=London"; content:"O=Global Security"; content:"C=GB"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet; reference: url,https://beta.onyphe.io/docs/use-cases/discovering-an-unknown-infrastructure; metadata:created_at 2023_03_24, updated_at 2023_03_24; sid:3300688; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible Camaro Dragon π C2 Server"; flow:to_client, stateless; tls.cert_subject; content:"C=US"; nocase; content:"ST=CA"; content:"L=San Francisco"; content:"CN=blue.net"; tls.cert_issuer; content:"C=US"; nocase; content:"ST=CA"; content:"L=San Francisco"; content:"CN=blue.net"; reference:url,https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/; reference:url,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/; metadata:created_at 2023_05_30, updated_at 2023_05_30; sid:3300689; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible Darkvision RAT π C2 Server"; flow:to_client, stateless; tls.cert_subject; content:"C=US"; nocase; content:"ST=Someprovince"; content:"L=Sometown"; content:"O=none"; content:"OU=none"; content:"CN=localhost"; content:"emailAddress=webmaster@localhost"; tls.cert_issuer; content:"C=US"; nocase; content:"ST=Someprovince"; content:"L=Sometown"; content:"O=none"; content:"OU=none"; content:"CN=localhost"; content:"emailAddress=webmaster@localhost"; reference:url,https://www.pcrisk.com/removal-guides/26678-darkvision-rat; reference:url,https://bazaar.abuse.ch/sample/56cb118f4caa1f3d0461faba24d9cb575843177b2a756622533ba00dbac10a2a/; reference:url,https://app.any.run/tasks/98e269e7-68e9-40b1-89e7-90745a119a0a/; reference:url,https://www.virustotal.com/gui/domain/pylox.petchx.com/relations; metadata:created_at 2023_05_30, updated_at 2023_05_30; sid:3300690; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible πΏ BianLian Ransomware π flow with C2 Server"; flow:established,to_client; tls.cert_issuer; content:"C="; startswith; pcre:"/C=[a-zA-Z0-9]{16}/"; pcre:"/O=[a-zA-Z0-9]{16}/"; pcre:"/OU=[a-zA-Z0-9]{16}/"; tls.cert_subject; content:"C="; startswith; pcre:"/C=[a-zA-Z0-9]{16}/"; pcre:"/O=[a-zA-Z0-9]{16}/"; pcre:"/OU=[a-zA-Z0-9]{16}/"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bianlian; reference: url,https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/; reference: url,https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win64.BIANLIAN.B.go/; reference: url,https://blogs.blackberry.com/en/2022/10/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye; reference: url,https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/; reference: url,https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, created_at 2023_06_30, updated_at 2024_02_21; sid:3300691; rev:7; classtype:command-and-control;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible πΏ Rhadamanthys InfoStealer πͺ flow with C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"C=XX"; content:"ST=N/A"; content:"L=N/A"; content:"|4f 3d 53 65 6c 66 2d 73 69 67 6e 65 64 20 63 65 72 74 69 66 69 63 61 74 65|"; fast_pattern; content:"CN="; pcre:"/CN=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/"; content:"|3a 20 53 65 6c 66 2d 73 69 67 6e 65 64 20 63 65 72 74 69 66 69 63 61 74 65|"; distance:0; tls.cert_subject; content:"C=XX"; content:"ST=N/A"; content:"L=N/A"; content:"|4f 3d 53 65 6c 66 2d 73 69 67 6e 65 64 20 63 65 72 74 69 66 69 63 61 74 65|"; content:"CN="; pcre:"/CN=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/"; content:"|3a 20 53 65 6c 66 2d 73 69 67 6e 65 64 20 63 65 72 74 69 66 69 63 61 74 65|"; distance:0; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys; reference: url,https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, created_at 2023_09_10, updated_at 2024_02_21; sid:3300692; rev:10; classtype:command-and-control;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible πΏ Pikabot πͺ flow with C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"C="; pcre:"/C=[A-Z]{2}/"; content:"ST="; fast_pattern; pcre:"/ST=[A-Z]{2}/"; content:"O="; pcre:"/O=[A-Z]{1}[a-z]{1,27} [A-Z]{1}[a-z]{1,27} Inc./"; content:"OU="; content:"L="; content:"CN="; pcre:"/CN=[a-z]{1,35}.[a-z]{2,5}/"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Pikabot, created_at 2024_01_08, updated_at 2024_02_21; sid:3301113; rev:4; classtype:command-and-control;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible πΏ QakBot / Qbot / Pikabot πͺ flow with C2 Server"; flow:to_client, stateless; tls.cert_subject; content:"C="; pcre:"/C=[A-Z]{2}/"; content:"OU="; pcre:"/OU=[a-zA-Z\t.]{3,35}/"; content:"CN="; pcre:"/CN=[a-z]{1,35}.[a-z]{2,5}/"; tls.cert_issuer; content:"C="; pcre:"/C=[A-Z]{2}/"; content:"ST="; fast_pattern; pcre:"/ST=[A-Z]{2}/"; content:"L="; pcre:"/L=[a-zA-Z\t.]{3,35}/"; content:"O="; pcre:"/O=[a-zA-Z\t.]{3,35}/"; content:"CN="; pcre:"/CN=[a-z]{1,35}.[a-z]{2,5}/"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family QakBot,created_at 2024_01_11, updated_at 2024_03_07; sid:3301116; rev:8; classtype:command-and-control;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible πΏ Havoc / Havokiz / Sliver πͺ flow with C2 Server"; flow:to_client, stateless; tls.cert_subject; content:"C=US"; content:"ST="; pcre:"/ST=[a-zA-Z\t]{0,15}/"; content:"L="; pcre:"/L=[a-zA-Z\t]{0,35}/"; content:"street"; content:"postalCode="; fast_pattern; pcre:"/postalCode=[0-9]{4}/"; content:"CN="; pcre:"/CN=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/"; tls.cert_issuer; content:"C=US"; content:"ST="; pcre:"/ST=[a-zA-Z\t]{0,15}/"; content:"L="; pcre:"/L=[a-zA-Z\t]{0,35}/"; content:"street"; content:"postalCode="; pcre:"/postalCode=[0-9]{4}/"; content:"CN="; pcre:"/CN=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver; reference: url,https://github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; reference: url,https://attack.mitre.org/techniques/T1071/001/; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Havoc, created_at 2024_01_11, updated_at 2024_02_21; sid:3301117; rev:15; classtype:command-and-control;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible πΏ Quasar Rat πͺ flow with C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"CN=Quasar Server CA"; fast_pattern; tls.cert_subject; content:"CN=Quasar Server CA"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family QuasarRat, created_at 2024_01_12, updated_at 2024_02_21; sid:3301118; rev:3; classtype:command-and-control;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious Zero SSL Certificate for public ip address"; flow:to_client, stateless; tls.cert_issuer; content:"C=AT"; content:"O=ZeroSSL"; content:"CN=ZeroSSL RSA Domain Secure Site CA"; fast_pattern; tls.cert_subject; content:"CN="; pcre:"/CN=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/"; reference: url,https://zerossl.com/; metadata:created_at 2024_01_13, updated_at 2024_02_21; sid:3301120; rev:2; classtype:bad-unknown;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible πΏ Bumblebee π πͺ flow with C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"C=AU"; content:"ST=Some-State"; content:"O=Internet Widgits Pty Ltd"; fast_pattern; content:"CN=34.100.235.191"; tls.cert_subject; content:"C=IN"; content:"ST=KA"; content:"L=BA"; content:"O=Vunet Systems Pvt Ltd"; content:"OU=Development"; content:"CN=35.244.34.163"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Bumblebee, created_at 2024_02_14, updated_at 2024_02_21; sid:3301128; rev:3; classtype:command-and-control;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible πΏ Vidar Stealer πͺ flow with C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"CN="; fast_pattern; pcre:"/CN=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/"; content:!"C="; content:!"ST="; content:!"O="; content:!"OU="; content:!"L="; tls.cert_subject; content:"CN="; pcre:"/CN=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/"; content:!"C="; content:!"ST="; content:!"O="; content:!"OU="; content:!"L="; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, former_category MALWARE, malware_family Vidar_Stealer, created_at 2024_02_14, updated_at 2024_02_21; sid:3301129; rev:3; classtype:credential-theft;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible πΏ DcRat πͺ flow with C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"CN=DcRat Server"; content:"OU=qwqdanchun"; content:"O=DcRat By qwqdanchun"; fast_pattern; content:"L=SH"; content:"C=CN"; tls.cert_subject; content:"CN=DcRat"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family DcRat, created_at 2024_02_15, updated_at 2024_02_21; sid:3301130; rev:2; classtype:command-and-control;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible πΏ Bumblebee π πͺ flow with C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"C=US"; content:"ST=Some-State"; content:"O=Internet Widgits Pty Ltd"; fast_pattern; content:"CN=*.malware.com"; tls.cert_subject; content:"ST=Some-State"; content:"O=Internet Widgits Pty Ltd"; content:"CN=*.malware.com"; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Bumblebee, created_at 2024_02_18, updated_at 2024_02_21; sid:3301140; rev:2; classtype:command-and-control;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible Malicious πͺ flow to C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"CN=Microsoft"; fast_pattern; content:!"C="; content:!"ST="; content:!"O="; content:!"OU="; content:!"L="; tls.cert_subject; content:"CN=Microsoft"; content:!"C="; content:!"ST="; content:!"O="; content:!"OU="; content:!"L="; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, created_at 2024_02_21, updated_at 2024_02_21; sid:3301142; rev:2; classtype:command-and-control;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious TLS Certificate - Possible πΏ Pupy π Python RAT πͺ flow with C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"O="; pcre:"/^O=[a-zA-Z]{10}$/"; tls.cert_subject; content:"O="; pcre:"/^O=[a-zA-Z]{10}$/"; content:"OU=CONTROL"; fast_pattern; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy; reference: url,https://github.com/n1nj4sec/pupy; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Pupy, created_at 2024_02_21, updated_at 2024_02_21; sid:3301143; rev:2; classtype:command-and-control;)
### HTTP Connections ###
alert http any any -> $EXTERNAL_NET any (msg:"πΎ - π Suspicious svchost.dll downloading via HTTP - Possible πΏ Cobalt Strike payload download πΎ - Seen in IcedID attack"; flow:to_server, stateless; http.method; content:"GET"; content:"/svchost.dll"; fast_pattern; reference: url,https://isc.sans.edu/diary//28884; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid; metadata:created_at 2022_08_03, updated_at 2022_12_03; sid:3300693; rev:2; classtype:trojan-activity;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to malicious url seen in more 35K Github repositories"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"ovz1.j19544519.pr46m.vps.myjino.ru"; reference:url,https://twitter.com/stephenlacy/status/1554697077430505473; metadata:created_at 2022_08_03, updated_at 2022_08_03; sid:3300694; rev:1; classtype:trojan-activity;)
alert http $HOME_NET any -> any any (msg:"πΎ - π Malicious HTTP πͺ Windows connection to π¦Ή Villain C2 or Hoaxshell with -Authorization- http.header"; flow:to_server, stateless; threshold: type threshold, track by_src, count 5, seconds 10; http.header.raw; content:"Authorization: "; pcre:"/Authorization: [a-z0-9]{8}-[a-z0-9]{8}-[a-z0-9]{8}/"; http.user_agent; content:"WindowsPowerShell/"; fast_pattern; nocase; http.method; content:"GET"; http.uri; content:"/"; startswith; pcre:"/[a-z0-9]{8}/"; http.protocol; content:"HTTP/1.1"; reference:url,https://github.com/t3l3machus/hoaxshell; reference:url,https://github.com/t3l3machus/Villain; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_12_02, updated_at 2022_12_04; sid:3300695; rev:20; classtype:trojan-activity;)
alert http $HOME_NET any -> any any (msg:"πΎ - π Malicious HTTP πͺ Windows connection to π¦Ή Hoaxshell C2 with default http.header"; flow:to_server, stateless; threshold: type threshold, track by_src, count 5, seconds 10; http.header.raw; content:"X-"; pcre:"/X-[a-z0-9]{4}-[a-z0-9]{4}/"; content:"|3a 20|"; pcre:"/[a-z0-9]{8}-[a-z0-9]{8}-[a-z0-9]{8}/"; http.user_agent; content:"WindowsPowerShell/"; fast_pattern; nocase; http.method; content:"GET"; http.uri; content:"/"; startswith; pcre:"/[a-z0-9]{8}/"; reference:url,https://github.com/t3l3machus/hoaxshell; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_12_04, updated_at 2022_12_04; sid:3300696; rev:8; classtype:trojan-activity;)
alert http $HOME_NET any -> any any (msg:"πΎ - π Malicious HTTP πͺ Windows connection to π¦Ή Hoaxshell C2 with custom http.header"; flow:to_server, stateless; threshold: type threshold, track by_src, count 5, seconds 10; http.header.raw; content:!"X-"; content:!"Authorization: "; content:"|3a 20|"; pcre:"/[a-z0-9]{8}-[a-z0-9]{8}-[a-z0-9]{8}/"; http.user_agent; content:"WindowsPowerShell/"; fast_pattern; nocase; http.method; content:"GET"; http.uri; content:"/"; startswith; pcre:"/[a-z0-9]{8}/"; reference:url,https://github.com/t3l3machus/hoaxshell; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_12_04, updated_at 2022_12_04; sid:3300697; rev:3; classtype:trojan-activity;)
alert http $HOME_NET any -> any any (msg:"πΎ - π HTTP Zerobot π€ π§ script downloading (wget)"; flow:to_server, stateless; http.user_agent; content:"Wget/"; nocase; http.uri; content:"/bins/zero."; fast_pattern; startswith; pcre:"/[a-z0-9]{3,}/i"; reference:url,https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities; metadata:created_at 2022_12_07, updated_at 2022_12_07; sid:3300698; rev:2; classtype:trojan-activity;)
alert http $HOME_NET any -> any any (msg:"πΎ - π HTTP Zerobot π€ π§ script downloading (curl)"; flow:to_server, stateless; http.user_agent; content:"curl/"; nocase; http.uri; content:"/bins/zero."; fast_pattern; startswith; pcre:"/[a-z0-9]{3,}/i"; reference:url,https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities; metadata:created_at 2022_12_07, updated_at 2022_12_07; sid:3300699; rev:2; classtype:trojan-activity;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP direct request to public IP address π"; flow:established,to_server; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.uri; content:!"microsoft.com"; endswith; content:!"windowsupdate.com"; fast_pattern; endswith; content:!"office.net"; endswith; metadata:created_at 2022_12_07, updated_at 2024_02_19; sid:3300700; rev:5; classtype:bad-unknown;)
alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"πΎ - π¨ Possible Raspberry Robin Worm π second stage download πΎ)"; flow:to_server, stateless; http.method; content:"GET"; http.user_agent; content:"Windows Installer"; depth:17; endswith; fast_pattern; reference:url,https://www.senseon.io/resource/resurgent-usb-malware-battling-raspberry-robin/; metadata:created_at 2023_05_18, updated_at 2023_06_05; sid:3300701; rev:3; classtype:trojan-activity;)
alert http any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Raccoon Stealer V2 (2023) π establishing communication to C2 - Leak π±"; flow:to_server, stateless; http.user_agent; content:"DuckTales"; http.method; content:"POST"; http.request_body; content:"machineId="; fast_pattern; pcre:"/machineId=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}|/"; content:"configId="; pcre:"/configId=[a-f0-9]{32}/"; reference:url,https://cyberint.com/blog/financial-services/raccoon-stealer/; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon; reference:url,https://twitter.com/g0njxa/status/1670824965438832643; target:src_ip; metadata:affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_08_16, updated_at 2024_02_18; sid:3300702; rev:2; classtype:credential-theft;)
alert http $EXTERNAL_NET any -> any any (msg:"πΎ - π¨ Raccoon Stealer V2 (2023) π DLL download from C2 - Leak π±"; flow:to_client, stateless; http.server; content:"Werkzeug/"; nocase; content:"Python/"; nocase; http.header; content:"Content-Disposition"; fast_pattern; nocase; content:"inline"; nocase; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fileext:"dll"; reference:url,https://cyberint.com/blog/financial-services/raccoon-stealer/; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon; reference:url,https://twitter.com/g0njxa/status/1670824965438832643; target:dest_ip; metadata:affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_08_16, updated_at 2024_02_18; sid:3300703; rev:2; classtype:credential-theft;)
alert http $EXTERNAL_NET any -> any any (msg:"πΎ - π¨ Raccoon Stealer V2 (2023) π C2 requesting informations to Windows πͺ computer - Leak π±"; flow:to_client, stateless; http.server; content:"Werkzeug/"; nocase; content:"Python/"; nocase; http.response_body; content:"libs_"; content:".dll"; content:"ews_"; content:"wlts_"; content:"sstmnfo_System Info.txt:"; fast_pattern; content:"xtntns_"; content:"tlgrm_"; content:"dscrd_"; content:"sgnl_"; content:"grbr_"; content:"token:"; pcre:"/token:[a-f0-9]{32}/"; reference:url,https://cyberint.com/blog/financial-services/raccoon-stealer/; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon; reference:url,https://twitter.com/g0njxa/status/1670824965438832643; target:dest_ip; metadata:affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_08_16, updated_at 2024_02_18; sid:3300704; rev:2; classtype:credential-theft;)
alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"πΎ - π¨ Possible Pikabot loader connection using Curl"; flow:to_server, stateless; http.user_agent; content:"curl/"; fast_pattern; nocase; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.uri; pcre:"/^.{1}[A-Za-z0-9]{2,7}.{1}[A-Za-z0-9]{4,9}$/"; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Pikabot, created_at 2023_11_01, updated_at 2024_02_18; sid:3300732; rev:9; classtype:trojan-activity;)
### SSH Connections ###
alert ssh any any -> any any (msg:"πΎ - π¨ Possible RapperBot π² SSH bruteforcing attempt (SSH-2.0-HELLOWORLD banner seen)"; flow:to_server, stateless; ssh.software; content:"SSH-2.0-HELLOWORLD"; reference:url,https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery; metadata:created_at 2022_08_05, updated_at 2022_08_05; sid:3300705; rev:1; classtype:trojan-activity;)
alert ssh $EXTERNAL_NET [53,80,443] -> any any (msg:"πΎ - π¨ SSH suspicious flow - Possible connection to FIN7 πΏ C2"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ssh.software; content:"openssh"; nocase; ssh.hassh.server; content:"b12d2871a1189eff20364cf5333619ee"; fast_pattern; reference:url,https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang; reference:url,https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf; reference:url,https://www.cert.ssi.gouv.fr/cti/CERTFR-2022-CTI-003/; reference:url,https://malpedia.caad.fkie.fraunhofer.de/actor/fin7; reference:url,https://pawpatrules.fr/references/fin7_ssh_backdoor.html; metadata:created_at 2022_12_28, updated_at 2024_06_27; sid:3300706; rev:6; classtype:trojan-activity;)
### TLS SNI ###
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Possible connection to Dark Utilities C2aaS"; flow:to_server, stateless; tls_sni; content:"ipfs.infura.io"; nocase; endswith; reference:url,https://blog.talosintelligence.com/2022/08/dark-utilities.html; metadata:created_at 2022_08_05, updated_at 2022_08_05; sid:3300707; rev:1; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Possible connection to Dark Utilities C2aaS"; flow:to_server, stateless; tls_sni; content:"dark-utilities."; nocase; startswith; reference:url,https://blog.talosintelligence.com/2022/08/dark-utilities.html; metadata:created_at 2022_08_05, updated_at 2022_08_05; sid:3300708; rev:1; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Possible DeltaStealer flow"; flow:to_server, stateless; tls_sni; content:"deltastealer."; nocase; reference:url,https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/e/rust-based-info-stealers-abuse-github-codespaces/IOC-list-rust-based-info-stealers-abuse-github-codespaces.txt; metadata:created_at 2023_05_30, updated_at 2024_02_18; sid:3300709; rev:2; classtype:credential-theft;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Possible DeltaStealer flow"; flow:to_server, stateless; tls_sni; content:"deltaproject."; nocase; reference:url,https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/e/rust-based-info-stealers-abuse-github-codespaces/IOC-list-rust-based-info-stealers-abuse-github-codespaces.txt; metadata:created_at 2023_05_30, updated_at 2024_02_18; sid:3300710; rev:2; classtype:credential-theft;)
### TLS JA3 / JA3S ###
alert tls any any -> any ![443,465,563,587,636,695,853,898,989,990,992,993,994,995,2376,2484,3269,4116,3424,4843,5061,5085,5228,5349,5671,5986,6513,6514,6619,6697,8243,8883] (msg:"πΎ - π¨ Suspicious JA3 πΏ + SSL/TLS trafic on unusual SSL/TLS port - Likely C2 connection / Emotet / Trickbot / Meterpreter"; flow:to_server, stateless; ja3.hash; content:"8916410db85077a5460817142dcbc8de"; metadata: former_category JA3; threshold: type limit, track by_src, seconds 60, count 1; reference: url,https://sslbl.abuse.ch/ja3-fingerprints/8916410db85077a5460817142dcbc8de/; reference: url,https://securitynews.sonicwall.com/xmlpost/emotet-is-back/; reference: url,https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers; metadata:created_at 2022_11_14, updated_at 2022_11_14; sid:3300711; rev:2; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Suspicious TLSv1.2 connection from πͺ Windows 10 socket to public IP address - Possible β Meterpreter / Cobalt Strike / other C2"; flow:to_server, stateless; ja3.hash; content:"72a589da586844d7f0818ce684948eea"; metadata: former_category JA3; reference:url,https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/; reference:url,https://thedfirreport.com/2020/10/08/ryuks-return/; reference:url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference:url,https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967; metadata:created_at 2021_06_29, updated_at 2023_03_17; sid:3300712; rev:5; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Suspicious TLSv1 connection from πͺ Windows 10 socket to public IP address - Possible β Meterpreter / Cobalt Strike / other C2"; flow:to_server, stateless; ja3.hash; content:"49ed2ef3f1321e5f044f1e71b0e6fdd5"; metadata: former_category JA3; reference:url,https://sslbl.abuse.ch/ja3-fingerprints/49ed2ef3f1321e5f044f1e71b0e6fdd5/; metadata:created_at 2022_11_24, updated_at 2023_03_17; sid:3300713; rev:2; classtype:trojan-activity;)
alert tls any any -> any any (msg:"πΎ - π¨ Meterpreter / Metasploit β β‘ Kali Linux possible reply β’"; flow:to_client, stateless; ja3s.hash; content:"70999de61602be74d4b25185843bd18e"; metadata: former_category JA3; reference:url,https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967; metadata:created_at 2021_06_29, updated_at 2023_03_17; sid:3300714; rev:6; classtype:trojan-activity;)
alert tls any any -> any any (msg:"πΎ - π¨ Cobalt Strike β β‘ Kali Linux possible reply β’"; flow:to_client, stateless; ja3s.hash; content:"b742b407517bac9536a77a7b0fee28e9"; metadata: former_category JA3; reference:url,https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967; metadata:created_at 2021_06_29, updated_at 2023_03_17; sid:3300715; rev:7; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Suspicious TLSv1.2 connection from πͺ Windows 10 socket / Powershell / Curl to public IP address - Possible β Meterpreter / Cobalt Strike / PoshC2 / other C2"; flow:to_server, stateless; ja3.hash; content:"c12f54a3f91dc7bafd92cb59fe009a35"; metadata: former_category JA3; reference:url,https://old.zeek.org/brocon2018/slides/Jeff_Atkinson._Fingerprinting_Encrypted.pptx; reference:url,https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/; reference:url,https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/; metadata:created_at 2023_03_17, updated_at 2023_12_04; sid:3300716; rev:2; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Suspicious TLSv1 connection from πͺ Windows Powershell to public IP address"; flow:to_server, stateless; ja3.hash; content:"fc54e0d16d9764783542f0146a98b300"; metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; metadata:created_at 2023_03_17, updated_at 2023_03_17; sid:3300717; rev:1; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Suspicious TLSv1 connection from πͺ Windows 10 socket to public IP address - Seen in march 2023 on πΏ Emotet C2 dialog"; flow:to_server, stateless; content:"|16 03 01 00 63 01 00 00 5f 03 01 64|"; content:"|c0 09 c0 14 c0 13 00 35 00 2f 00 0a 01 00 00 28 00 05 00 05 01 00 00 00 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 0b 00 02 01 00 00 23 00 00 00 17 00 00 ff 01 00 01 00|"; fast_pattern; distance:36; ja3.hash; content:"49ed2ef3f1321e5f044f1e71b0e6fdd5"; metadata: former_category JA3; reference:url,https://bazaar.abuse.ch/sample/a43e0864905fe7afd6d8dbf26bd27d898a2effd386e81cfbc08cae9cf94ed968/; metadata:created_at 2023_03_18, updated_at 2023_03_18; sid:3300718; rev:2; classtype:trojan-activity;)
alert tls $HOME_NET any -> any any (msg:"πΎ - π¨ Suspicious TLSv1.0 Powershell πͺ Windows persistent flow - Possible π¦Ή Villain C2 or Hoaxshell"; flow:to_server, stateless; ssl_version:tls1.0; threshold: type threshold, track by_src, count 10, seconds 20; ja3.hash; content:"fc54e0d16d9764783542f0146a98b300"; reference:url,https://github.com/t3l3machus/hoaxshell; reference:url,https://github.com/t3l3machus/Villain; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_12_06, updated_at 2022_12_06; sid:3300719; rev:1; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Possible Darkvision RAT π C2 Server answer flow"; flow:to_client, stateless; threshold: type threshold, track by_dst, count 10, seconds 60; ja3s.hash; content:"098e26e2609212ac1bfac552fbe04127"; reference:url,https://bazaar.abuse.ch/sample/56cb118f4caa1f3d0461faba24d9cb575843177b2a756622533ba00dbac10a2a/; reference:url,https://app.any.run/tasks/98e269e7-68e9-40b1-89e7-90745a119a0a/; reference:url,https://www.virustotal.com/gui/domain/pylox.petchx.com/relations; reference:url,https://www.pcrisk.com/removal-guides/26678-darkvision-rat; reference:url,https://www.youtube.com/watch?v=Bs-1Piy3GRk; metadata:created_at 2023_05_30, updated_at 2023_05_31; sid:3300720; rev:15; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Suspicious flow to Discord.com - Possible Python Disin Trojan π΄ C2 connection"; flow:to_server, stateless; ja3.hash; content:"629273f159de88e0d3860a95d94ac128"; tls_sni; content:"discord.com"; metadata: former_category JA3; reference:url,https://www.virustotal.com/gui/file/d8fa3fe4104b545e8bbc5816e1efafe541d146c451d8ce085bab537f40e36c0f/detection; metadata:created_at 2023_06_21, updated_at 2023_06_21; sid:3300721; rev:1; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Suspicious flow to api.gofile.io - Possible Python Disin Trojan π΄ file exfiltration π±"; flow:to_server, stateless; ja3.hash; content:"47f56493e551459ad91fdee8f61435f3"; tls_sni; content:"api.gofile.io"; metadata: former_category JA3; reference:url,https://www.virustotal.com/gui/file/d8fa3fe4104b545e8bbc5816e1efafe541d146c451d8ce085bab537f40e36c0f/detection; metadata:created_at 2023_06_21, updated_at 2023_06_21; sid:3300722; rev:1; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Suspicious TLSv1.2 JA3 connection from πͺ Windows - Possible πΏ Rhadamanthys InfoStealer"; flow:to_server, stateless; ja3.hash; content:"caec7ddf6889590d999d7ca1b76373b6"; metadata: former_category JA3; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys; reference: url,https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/; metadata:created_at 2023_09_23, updated_at 2023_09_23; sid:3300723; rev:1; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Suspicious SSLv3 connection seen in π REvil / Sodinokibi ransomware attack"; flow:to_server, stateless; ssl_version:sslv3; ja3.hash; content:"79c9e26fe870347aca15a4b6b6aea6d0"; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.revil; metadata:created_at 2023_11_18, updated_at 2023_11_18; sid:3301091; rev:1; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Suspicious TLSV1.2 connection from Windows πͺ (JA3) seen in π REvil / Sodinokibi ransomware attack + Pikabot (check that the destination is legitimate)"; flow:to_server, stateless; ja3.hash; content:"ce5f3254611a8c095a3d821d44539877"; fast_pattern; tls_sni; content:!"adobe.com"; endswith; nocase; content:!"microsoft.com"; endswith; nocase; content:!"skype.com"; endswith; nocase; content:!"msn.com"; endswith; nocase; content:!"office.net"; endswith; nocase; content:!"live.com"; endswith; nocase; content:!"office.com"; endswith; nocase; content:!"office365.com"; endswith; nocase; content:!"azureedge.net"; endswith; nocase; content:!"comae.com"; endswith; nocase; content:!"autodesk.com"; endswith; nocase; content:!"onenote.net"; endswith; nocase; content:!".microsoft"; endswith; nocase; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.revil; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot; metadata:created_at 2023_11_18, updated_at 2024_05_27; sid:3301092; rev:9; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Suspicious TLSv1.2 connection from πͺ Windows 11 socket to public IP address - Possible β Meterpreter / Cobalt Strike / other C2"; flow:to_server, stateless; ja3.hash; content:"4d93395b1c1b9ad28122fb4d09f28c5e"; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, former_category MALWARE, created_at 2024_02_17, updated_at 2024_02_17; sid:3301131; rev:1; classtype:trojan-activity;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Suspicious TLSv1.3 connection from πͺ Windows 11 to Telegram π¬ - Possible info-stealing operation"; flow:to_server, stateless; ja3.hash; content:"3c293bdf2a25c07559b560ba86debc77"; fast_pattern; tls_sni; content:"t.me"; nocase; endswith; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, former_category MALWARE, created_at 2024_02_17, updated_at 2024_02_17; sid:3301132; rev:2; classtype:credential-theft;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Suspicious TLSv1.2 connection from πͺ Windows 10 to Telegram π¬ - Possible info-stealing operation"; flow:to_server, stateless; ja3.hash; content:"a0e9f5d64349fb13191bc781f81f42e1"; fast_pattern; tls_sni; content:"t.me"; nocase; endswith; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_10_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, former_category MALWARE, created_at 2024_02_17, updated_at 2024_02_17; sid:3301133; rev:3; classtype:credential-theft;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Suspicious TLSv1.3 connection from πͺ Windows 11 to Amazon S3 server without custom domain name - Possible info-stealing operation"; flow:to_server, stateless; ja3.hash; content:"3c293bdf2a25c07559b560ba86debc77"; fast_pattern; tls_sni; content:".s3.amazonaws.com"; nocase; endswith; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, former_category MALWARE, created_at 2024_02_18, updated_at 2024_02_18; sid:3301134; rev:1; classtype:credential-theft;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Suspicious TLSv1.2 connection from πͺ Windows 10 to Amazon S3 server without custom domain name - Possible info-stealing operation"; flow:to_server, stateless; ja3.hash; content:"a0e9f5d64349fb13191bc781f81f42e1"; fast_pattern; tls_sni; content:".s3.amazonaws.com"; nocase; endswith; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_10_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, former_category MALWARE, created_at 2024_02_18, updated_at 2024_02_18; sid:3301135; rev:1; classtype:credential-theft;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Suspicious TLSV1.2 connection from πͺ Windows (MSHTA) Microsoft HTML Application (check that the destination is legitimate) - T1218.005"; flow:to_server, stateless; ja3.hash; content:"a0e9f5d64349fb13191bc781f81f42e1"; fast_pattern; tls_sni; content:!"office.com"; endswith; nocase; content:!"msn.com"; endswith; nocase; content:!"live.com"; endswith; nocase; content:!"office.net"; endswith; nocase; content:!"microsoft.com"; endswith; nocase; content:!"outlook.com"; endswith; nocase; content:!"mozilla.org"; endswith; nocase; content:!"msedge.net"; endswith; nocase; content:!"office365.com"; endswith; nocase; content:!"sharepoint.com"; endswith; nocase; content:!".ms"; endswith; nocase; content:!"onenote.net"; endswith; nocase; content:!"adobe.io"; endswith; nocase; content:!"gimp.org"; endswith; nocase; reference:url,https://attack.mitre.org/techniques/T1218/005/; target:src_ip; metadata:created_at 2024_06_26, updated_at 2024_06_27, signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1218_005, mitre_technique_name System_Binary_Proxy_Execution_Mshta; sid:3321287; rev:8; classtype:trojan-activity;)
###DNS##
alert dns any any -> any any (msg:"πΎ - π¨ Suspicious DNS Request to .life domain with 11 caracters - Seen in πΏ Bumblebee π πͺ attacks"; flow:to_server, stateless; dns_query; pcre:"/^[a-z0-9]{11}.life$/"; content:".life"; endswith; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Bumblebee, created_at 2024_02_18, updated_at 2024_02_18; sid:3301139; rev:2; classtype:trojan-activity;)
### TCP ###
alert tcp $HOME_NET any -> 1.1.1.1 80 (msg:"πΎ - π¨ Suspicious flow to 1.1.1.1 on port 80 - Possible Zerobot π€ π§ connection test"; flow:to_server, stateless; reference:url,https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities; metadata:created_at 2022_12_07, updated_at 2022_12_07; sid:3300724; rev:1; classtype:trojan-activity;)
alert tcp any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ RedLine Stealer π establishing communication to C2 - Leak π±"; flow:to_server, stateless; content:"|24 68 74 74 70 3a 2f 2f|"; content:"|2f 4d 53 56 61 6c 75 65 31|"; content:"|6e 65 74 2e 74 63 70 3a 2f 2f|"; distance:1; fast_pattern; content:"|4d 53 56 61 6c 75 65 31|"; content:"|41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 08 03 6e 73 31 99 20|"; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer; reference:url,https://twitter.com/Jane_0sint/status/1663543454092386307?s=20; reference:url,https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf; target:src_ip; metadata:affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_06_06, updated_at 2024_02_18; sid:3300725; rev:5; classtype:credential-theft;)
alert tcp any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Windows πͺ computer sending informations to RedLine Stealer π C2 - Leak π±"; flow:to_server, stateless; content:"Windows"; content:"Name:"; content:".exe|2c| CommandLine:"; fast_pattern; pcre:"/F-..ID:/"; content:"Total of RAM"; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer; reference:url,https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf; target:src_ip; metadata:affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_08_15, updated_at 2023_08_16; sid:3300726; rev:2; classtype:trojan-activity;)
alert tcp-pkt $EXTERNAL_NET any -> any any (msg:"πΎ - π¨ RedLine Stealer π C2 requesting informations to Windows πͺ computer - Leak π±"; flow:to_client, stateless; content:"|3a 25 75 73 65 72 70 72 6f 66 69 6c 65 25 5c 44 65 73 6b 74 6f 70 7c 2a 2e 74 78 74 2c 2a 2e 64 6f 63 2a 2c 2a 6b 65 79 2a 2c 2a 77 61 6c 6c 65 74 2a 2c 2a 73 65 65 64 2a 7c 30 46|"; fast_pattern; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer; reference:url,https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf; target:dest_ip; metadata:affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_08_15, updated_at 2023_08_16; sid:3300727; rev:5; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any any (msg:"πΎ - π Possible Malicious TCP πͺ Windows connection to π¦Ή Villain C2 with netcat powershell reverse tcp payload"; flow:to_server, stateless; content:"|0d 0a 50 53 20 43 3a 5c|"; fast_pattern; content:"|3e 20|"; pcre:"/[a-z0-9]{32}/"; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_10_16, updated_at 2023_10_17; sid:3300728; rev:6; classtype:trojan-activity;)
alert tcp-pkt any any -> any any (msg:"πΎ - π Possible Malicious TCP answer from π¦Ή Villain C2 with netcat reverse tcp payload"; flow:to_client, stateless; content:"|65 63 68 6f 20|"; fast_pattern; pcre:"/echo [a-z0-9]{32}/"; content:"|0a|"; endswith; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_10_17, updated_at 2023_10_17; sid:3300729; rev:14; classtype:trojan-activity;)
alert tcp any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ RedLine Stealer π communication to C2 - Leak π±"; flow:to_server, stateless; content:"|68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f|"; content:"|40 0d 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 08 03 6e 73 31|"; fast_pattern; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer; reference:url,https://twitter.com/Jane_0sint/status/1663543454092386307?s=20; reference:url,https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf; target:src_ip; metadata:affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_11_18, updated_at 2023_11_18; sid:3301090; rev:1; classtype:trojan-activity;)
alert tcp any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ NJRAT πͺ communication to C2"; flow:to_server, stateless; content:"|00 73 63 50 4b 7c 27 7c 27 7c|"; content:"|7c 27 7c 27 7c ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 10 0b 0c 0e 0c 0a 10 0e 0d 0e 12 11 10 13 18 28|"; fast_pattern; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Njrat, created_at 2024_02_26, updated_at 2024_02_26; sid:3301150; rev:1; classtype:command-and-control;)
alert tcp any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ NJRAT πͺ establishing connection to C2"; flow:to_server, stateless; dsize:<300; content:"|00 6c 6c|"; content:"|7c 27 7c 27 7c 7c 27 7c 27 7c 57 69 6e|"; fast_pattern; content:"|7c 27 7c 27 7c|"; endswith; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Njrat, created_at 2024_02_28, updated_at 2024_02_28; sid:3301151; rev:2; classtype:command-and-control;)
### TFTP ###
alert tftp $HOME_NET any -> any any (msg:"πΎ - π TFTP Zerobot π€ π§ script downloading"; flow:to_server, stateless; content:"|00 01|"; content:"zero."; fast_pattern; distance:0; pcre:"/[a-z0-9]{3,}/i"; reference:url,https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities; metadata:created_at 2022_12_07, updated_at 2022_12_07; sid:3300730; rev:2; classtype:trojan-activity;)