[Emerging-Sigs] Patchwork APT signature

Tushar Bhatia tushar1988 at gmail.com
Thu Oct 31 00:27:34 HDT 2019


During the Suricon Threat Hunting class earlier this week, I wrote the signature below for Cymmetria's Patchwork APT research: https://cymmetria.com/research/patchwork-targeted-attack/ . Travis suggested submitting the rule here. It's my first submission so would welcome any feedback. Thanks!

I've added some metadata tags based on BETTER schema docs here: http://better-schema.readthedocs.io/

alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN Patchwork APT C2 Communication Detected"; flow: established, to_server; content: "POST"; http_method; content: "|3F|profile="; http_uri; content: "ddager="; http_client_body; depth: 7; content: "|26|r1="; http_client_body; distance: 1; within: 4; content: "|26|r2="; http_client_body; distance: 0; content: "|26|r3="; http_client_body; distance: 0; classtype:trojan-activity; reference:url, https://cymmetria.com/research/patchwork-targeted-attack/; metadata: protocols http, protocols tcp, malware post-infection, infected src_ip, hostile dest_ip, attack_target client, priority high, cwe_id 506; rev: 1; sid: 1000001;)

-Tushar Bhatia

More information about the Emerging-sigs mailing list