[Emerging-Sigs] Patchwork APT signature

Tushar Bhatia tushar1988 at gmail.com
Thu Oct 31 08:44:07 HDT 2019


Thanks for the feedback! Agree with the suggested changes. Regarding specific positional conditions on ‘r1=‘, i based it on the pcap i had and the description in the referenced report "ddager = Is startup registry key added (Bool)”. I’m totally fine with loosening the criteria to "distance:0” though. It should not make the rule more FP-prone with the pretty unique “ddager” match.

> On Oct 31, 2019, at 6:04 PM, James Emery-Callcott <jcallcott at emergingthreats.net> wrote:
> 
> Hey,
> 
> Thanks for the submission, I hope you enjoyed the threat hunting class!
> 
> It looks like we have coverage for this activity however it's in the ETPRO ruleset, I'll have them moved to OPEN today.
> 
> As for the signature, I only have a couple of things to pick out.  First up, we should throw a fast_pattern; in there to boost signature performance, the 'ddager=' content seems reliable in this case.  Second, the 'r1=' content has some very specific positional conditions which could (potentially) cause FNs in the future.  I haven't looked at the samples responsible for this traffic but if the value of 'ddager' is more than 1 byte, we'd see misses on the signature.  If all of the samples analyzed only have 'ddager' as accepting a 1 byte value, then I'd say it's fine.
> 
> Also going to give a Suricata 5.0 push here with the translated signature:
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork APT C2 Communication Detected"; flow:established,to_server; content:"ddager="; http_client_body; startswith; fast_pattern; content:"|26|r1="; http_client_body; distance:1; within:4; content:"|26|r2="; http_client_body; distance:0; content:"|26|r3="; http_client_body; distance:0; http.method; content:"POST"; http.uri; content:"|3F|profile="; classtype:command-and-control; reference:url,https://cymmetria.com/research/patchwork-targeted-attack/ <https://cymmetria.com/research/patchwork-targeted-attack/>; metadata: protocols http, protocols tcp, malware post-infection, infected src_ip, hostile dest_ip, attack_target client, priority high, cwe_id 506; rev: 1; sid: 1000001;)
> 
> Category switched from 'TROJAN' to 'MALWARE' to reflect category changes here at ET.
> Classtype changed to 'command-and-control'.
> 'http.method;' sticky buffer used in place of 'http_method;'.
> 'http.uri;' sticky buffer used in place of 'http_uri;'.
> 'startswith;' in place of 'depth:7;'.
> 
> Thanks again!  I look forward to your future contributions.
> 
> On Thu, Oct 31, 2019 at 9:27 AM Tushar Bhatia <tushar1988 at gmail.com <mailto:tushar1988 at gmail.com>> wrote:
> Hi
> 
> During the Suricon Threat Hunting class earlier this week, I wrote the signature below for Cymmetria's Patchwork APT research: https://cymmetria.com/research/patchwork-targeted-attack/ <https://cymmetria.com/research/patchwork-targeted-attack/> . Travis suggested submitting the rule here. It's my first submission so would welcome any feedback. Thanks!
> 
> I've added some metadata tags based on BETTER schema docs here: http://better-schema.readthedocs.io/ <http://better-schema.readthedocs.io/>
> 
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN Patchwork APT C2 Communication Detected"; flow: established, to_server; content: "POST"; http_method; content: "|3F|profile="; http_uri; content: "ddager="; http_client_body; depth: 7; content: "|26|r1="; http_client_body; distance: 1; within: 4; content: "|26|r2="; http_client_body; distance: 0; content: "|26|r3="; http_client_body; distance: 0; classtype:trojan-activity; reference:url, https://cymmetria.com/research/patchwork-targeted-attack/ <https://cymmetria.com/research/patchwork-targeted-attack/>; metadata: protocols http, protocols tcp, malware post-infection, infected src_ip, hostile dest_ip, attack_target client, priority high, cwe_id 506; rev: 1; sid: 1000001;)
> 
> -Tushar Bhatia
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net <mailto:Emerging-sigs at lists.emergingthreats.net>
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs <https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net <http://www.emergingthreats.net/>
> 
> 
> 
> -- 
> ---------------------------------------
> 
> James Emery-Callcott
> Security Researcher | ProofPoint Inc | Emerging Threats Team
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191031/3f8c5790/attachment-0001.html>


More information about the Emerging-sigs mailing list