[Emerging-Sigs] SIGS: More Lateral Movement
Kevin Ross
kevross33 at googlemail.com
Thu Apr 11 00:37:06 HDT 2019
Hi,
Here is some more lateral movement signatures.
Kind Regards,
Kevin Ross
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB
Traffic - Possible Lateral Movement"; flow:established,to_server;
content:"SMB"; depth:8; content:"nslookup"; nocase; distance:0;
classtype:bad-unknown; sid:124111; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB
Traffic - Possible Lateral Movement"; flow:established,to_server;
content:"SMB"; depth:8;
content:"|00|n|00|s|00|l|00|o|00|o|00|k|00|u|00|p|00|"; nocase; distance:0;
classtype:bad-unknown; sid:124112; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB
Traffic - Possible Lateral Movement"; flow:established,to_server;
content:"SMB"; depth:8; content:"ipconfig"; nocase; distance:0;
classtype:bad-unknown; sid:124113; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB
Traffic - Possible Lateral Movement"; flow:established,to_server;
content:"SMB"; depth:8;
content:"|00|i|00|p|00|c|00|o|00|n|00|f|00|i|00|g|00|"; nocase; distance:0;
classtype:bad-unknown; sid:124114; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB
Traffic - Likely Lateral Movement"; flow:established,to_server;
content:"SMB"; depth:8; content:"net"; nocase; distance:0; content:"view";
nocase; within:9; classtype:bad-unknown; sid:124115; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB
Traffic - Likely Lateral Movement"; flow:established,to_server;
content:"SMB"; depth:8; content:"|00|n|00|e|00|t|00|"; nocase; distance:0;
fast_pattern; content:"|00|v|00|i|00|e|00|w|00|"; nocase; within:19;
classtype:bad-unknown; sid:124116; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM
ExecuteShellCommand Call - Likely Lateral Movement";
flow:established,to_server;
content:"|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|S|00|h|00|e|00|l|00|l|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00|";
classtype:bad-unknown; reference:url,
enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/;
reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/;
reference:url,attack.mitre.org/techniques/T1175/; sid:124118; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM
ShellExecute - Likely Lateral Movement"; flow:established,to_server;
content:"|00|S|00|h|00|e|00|l|00|l|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|";
classtype:bad-unknown; reference:url,
enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/;
reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/;
reference:url,attack.mitre.org/techniques/T1175/; sid:124120; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Executable Transfer in
SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ";
distance:0; content:"This program "; distance:0; content:"PE|00 00|";
distance:0; classtype:bad-unknown; sid:156611; rev:1;)
# These are not mine. They are from Fireeye
www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html.
Necessary to detect RDP tunneling technique. Still worth included if OK to
do so.
alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY
Tunneled RDP msts Handshake"; dsize:<65; content:"|03 00 00|"; depth:3;
content:"|e0|"; distance:2; within:1; content:"Cookie: mstshash=";
distance:5; within:17; classtype:bad-unknown; reference:url,
www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html;
sid:911111; rev:1;)
alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY
Tunneled RDP Handshake"; flow:established; content:"|c0 00|Duca";
depth:250; content:"rdpdr"; content:"cliprdr"; classtype:bad-unknown;
reference:url,
www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html;
sid:911112; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190411/224a7901/attachment-0001.html>
More information about the Emerging-sigs
mailing list