[Emerging-Sigs] SIGS: More Lateral Movement

Travis Green tgreen at emergingthreats.net
Thu Apr 11 05:42:50 HDT 2019 

Thanks Kevin, we'll get these in QA and see about the FireEye sigs.

-T

On Thu, Apr 11, 2019 at 3:37 AM Kevin Ross via Emerging-sigs
<emerging-sigs at lists.emergingthreats.net> wrote:
>
> Hi,
>
> Here is some more lateral movement signatures.
>
> Kind Regards,
> Kevin Ross
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"nslookup"; nocase; distance:0; classtype:bad-unknown; sid:124111; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|s|00|l|00|o|00|o|00|k|00|u|00|p|00|"; nocase; distance:0; classtype:bad-unknown; sid:124112; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"ipconfig"; nocase; distance:0; classtype:bad-unknown; sid:124113; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|i|00|p|00|c|00|o|00|n|00|f|00|i|00|g|00|"; nocase; distance:0; classtype:bad-unknown; sid:124114; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"net"; nocase; distance:0; content:"view"; nocase; within:9; classtype:bad-unknown; sid:124115; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|e|00|t|00|"; nocase; distance:0; fast_pattern; content:"|00|v|00|i|00|e|00|w|00|"; nocase; within:19; classtype:bad-unknown; sid:124116; rev:1;)
>
> alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely Lateral Movement"; flow:established,to_server; content:"|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|S|00|h|00|e|00|l|00|l|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; classtype:bad-unknown; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; sid:124118; rev:1;)
>
> alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement"; flow:established,to_server; content:"|00|S|00|h|00|e|00|l|00|l|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|"; classtype:bad-unknown; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; sid:124120; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Executable Transfer in SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:156611; rev:1;)
>
> # These are not mine. They are from Fireeye www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html. Necessary to detect RDP tunneling technique. Still worth included if OK to do so.
>
> alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP msts Handshake"; dsize:<65; content:"|03 00 00|"; depth:3; content:"|e0|"; distance:2; within:1; content:"Cookie: mstshash="; distance:5; within:17; classtype:bad-unknown; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; sid:911111; rev:1;)
>
> alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP Handshake"; flow:established; content:"|c0 00|Duca"; depth:250; content:"rdpdr"; content:"cliprdr"; classtype:bad-unknown; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; sid:911112; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>


-- 
PGP:
travisgreen.net/tgreen at emergingthreats.net.asc
travisgreen.net/travis at travisgreen.net.asc

More information about the Emerging-sigs mailing list