[Emerging-Sigs] Patchwork APT signature

James Emery-Callcott jcallcott at emergingthreats.net
Thu Oct 31 08:04:32 HDT 2019


Hey,

Thanks for the submission, I hope you enjoyed the threat hunting class!

It looks like we have coverage for this activity however it's in the ETPRO
ruleset, I'll have them moved to OPEN today.

As for the signature, I only have a couple of things to pick out.  First
up, we should throw a *fast_pattern; *in there to boost signature
performance, the 'ddager=' content seems reliable in this case.  Second,
the 'r1=' content has some very specific positional conditions which could
(potentially) cause FNs in the future.  I haven't looked at the samples
responsible for this traffic but if the value of 'ddager' is more than 1
byte, we'd see misses on the signature.  If all of the samples analyzed
only have 'ddager' as accepting a 1 byte value, then I'd say it's fine.

Also going to give a Suricata 5.0 push here with the translated signature:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork
APT C2 Communication Detected"; flow:established,to_server;
content:"ddager="; http_client_body; startswith; fast_pattern;
content:"|26|r1="; http_client_body; distance:1; within:4;
content:"|26|r2="; http_client_body; distance:0; content:"|26|r3=";
http_client_body; distance:0; http.method; content:"POST"; http.uri;
content:"|3F|profile="; classtype:command-and-control; reference:url,
https://cymmetria.com/research/patchwork-targeted-attack/; metadata:
protocols http, protocols tcp, malware post-infection, infected src_ip,
hostile dest_ip, attack_target client, priority high, cwe_id 506; rev: 1;
sid: 1000001;)


   - Category switched from *'TROJAN'* to* 'MALWARE'* to reflect category
   changes here at ET.
   - Classtype changed to *'command-and-control'*.
   - *'http.method;'* sticky buffer used in place of *'http_method;'*.
   - *'http.uri;'* sticky buffer used in place of *'http_uri;'*.
   - *'startswith;' *in place of '*depth:7;*'.


Thanks again!  I look forward to your future contributions.

On Thu, Oct 31, 2019 at 9:27 AM Tushar Bhatia <tushar1988 at gmail.com> wrote:

> Hi
>
> During the Suricon Threat Hunting class earlier this week, I wrote the
> signature below for Cymmetria's Patchwork APT research:
> https://cymmetria.com/research/patchwork-targeted-attack/ . Travis
> suggested submitting the rule here. It's my first submission so would
> welcome any feedback. Thanks!
>
> I've added some metadata tags based on BETTER schema docs here:
> http://better-schema.readthedocs.io/
>
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN Patchwork
> APT C2 Communication Detected"; flow: established, to_server; content:
> "POST"; http_method; content: "|3F|profile="; http_uri; content: "ddager=";
> http_client_body; depth: 7; content: "|26|r1="; http_client_body; distance:
> 1; within: 4; content: "|26|r2="; http_client_body; distance: 0; content:
> "|26|r3="; http_client_body; distance: 0; classtype:trojan-activity;
> reference:url, https://cymmetria.com/research/patchwork-targeted-attack/;
> metadata: protocols http, protocols tcp, malware post-infection, infected
> src_ip, hostile dest_ip, attack_target client, priority high, cwe_id 506;
> rev: 1; sid: 1000001;)
>
> -Tushar Bhatia
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>

-- 
---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191031/1e8ddae5/attachment.html>


More information about the Emerging-sigs mailing list