[Emerging-Sigs] SIGS: More Lateral Movement
Kevin Ross
kevross33 at googlemail.com
Thu Apr 11 06:55:21 HDT 2019
While I remember mentioning fireeye some sigs in appendix a doc for Triton.
Might be worth looking at them too. Not checked them out as don't work in
industrial environment but might help some.
https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html
On Thu, 11 Apr 2019, 15:43 Travis Green, <tgreen at emergingthreats.net> wrote:
> Thanks Kevin, we'll get these in QA and see about the FireEye sigs.
>
> -T
>
> On Thu, Apr 11, 2019 at 3:37 AM Kevin Ross via Emerging-sigs
> <emerging-sigs at lists.emergingthreats.net> wrote:
> >
> > Hi,
> >
> > Here is some more lateral movement signatures.
> >
> > Kind Regards,
> > Kevin Ross
> >
> > alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in
> SMB Traffic - Possible Lateral Movement"; flow:established,to_server;
> content:"SMB"; depth:8; content:"nslookup"; nocase; distance:0;
> classtype:bad-unknown; sid:124111; rev:1;)
> >
> > alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in
> SMB Traffic - Possible Lateral Movement"; flow:established,to_server;
> content:"SMB"; depth:8;
> content:"|00|n|00|s|00|l|00|o|00|o|00|k|00|u|00|p|00|"; nocase; distance:0;
> classtype:bad-unknown; sid:124112; rev:1;)
> >
> > alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in
> SMB Traffic - Possible Lateral Movement"; flow:established,to_server;
> content:"SMB"; depth:8; content:"ipconfig"; nocase; distance:0;
> classtype:bad-unknown; sid:124113; rev:1;)
> >
> > alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in
> SMB Traffic - Possible Lateral Movement"; flow:established,to_server;
> content:"SMB"; depth:8;
> content:"|00|i|00|p|00|c|00|o|00|n|00|f|00|i|00|g|00|"; nocase; distance:0;
> classtype:bad-unknown; sid:124114; rev:1;)
> >
> > alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in
> SMB Traffic - Likely Lateral Movement"; flow:established,to_server;
> content:"SMB"; depth:8; content:"net"; nocase; distance:0; content:"view";
> nocase; within:9; classtype:bad-unknown; sid:124115; rev:1;)
> >
> > alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in
> SMB Traffic - Likely Lateral Movement"; flow:established,to_server;
> content:"SMB"; depth:8; content:"|00|n|00|e|00|t|00|"; nocase; distance:0;
> fast_pattern; content:"|00|v|00|i|00|e|00|w|00|"; nocase; within:19;
> classtype:bad-unknown; sid:124116; rev:1;)
> >
> > alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM
> ExecuteShellCommand Call - Likely Lateral Movement";
> flow:established,to_server;
> content:"|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|S|00|h|00|e|00|l|00|l|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00|";
> classtype:bad-unknown; reference:url,
> enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/;
> reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/;
> reference:url,attack.mitre.org/techniques/T1175/; sid:124118; rev:1;)
> >
> > alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM
> ShellExecute - Likely Lateral Movement"; flow:established,to_server;
> content:"|00|S|00|h|00|e|00|l|00|l|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|";
> classtype:bad-unknown; reference:url,
> enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/;
> reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/;
> reference:url,attack.mitre.org/techniques/T1175/; sid:124120; rev:1;)
> >
> > alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Executable Transfer
> in SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ";
> distance:0; content:"This program "; distance:0; content:"PE|00 00|";
> distance:0; classtype:bad-unknown; sid:156611; rev:1;)
> >
> > # These are not mine. They are from Fireeye
> www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html.
> Necessary to detect RDP tunneling technique. Still worth included if OK to
> do so.
> >
> > alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY
> Tunneled RDP msts Handshake"; dsize:<65; content:"|03 00 00|"; depth:3;
> content:"|e0|"; distance:2; within:1; content:"Cookie: mstshash=";
> distance:5; within:17; classtype:bad-unknown; reference:url,
> www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html;
> sid:911111; rev:1;)
> >
> > alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY
> Tunneled RDP Handshake"; flow:established; content:"|c0 00|Duca";
> depth:250; content:"rdpdr"; content:"cliprdr"; classtype:bad-unknown;
> reference:url,
> www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html;
> sid:911112; rev:1;)
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at lists.emergingthreats.net
> > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> >
>
>
> --
> PGP:
> travisgreen.net/tgreen at emergingthreats.net.asc
> travisgreen.net/travis at travisgreen.net.asc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190411/d25f88de/attachment.html>
More information about the Emerging-sigs
mailing list