[Emerging-Sigs] Patchwork APT signature

James Emery-Callcott jcallcott at emergingthreats.net
Thu Oct 31 11:31:45 HDT 2019


Slight correction to my Suricata 5 rule.  http.request_body; can also be
used to replace http_client_body; as a sticky buffer, functioning the same
as http.uri; and http.method;.

On Thu, Oct 31, 2019 at 5:44 PM Tushar Bhatia <tushar1988 at gmail.com> wrote:

> Thanks for the feedback! Agree with the suggested changes. Regarding
> specific positional conditions on ‘r1=‘, i based it on the pcap i had and
> the description in the referenced report "ddager = Is startup registry key
> added (Bool)”. I’m totally fine with loosening the criteria to "distance:0”
> though. It should not make the rule more FP-prone with the pretty unique
> “ddager” match.
>
> On Oct 31, 2019, at 6:04 PM, James Emery-Callcott <
> jcallcott at emergingthreats.net> wrote:
>
> Hey,
>
> Thanks for the submission, I hope you enjoyed the threat hunting class!
>
> It looks like we have coverage for this activity however it's in the ETPRO
> ruleset, I'll have them moved to OPEN today.
>
> As for the signature, I only have a couple of things to pick out.  First
> up, we should throw a *fast_pattern; *in there to boost signature
> performance, the 'ddager=' content seems reliable in this case.  Second,
> the 'r1=' content has some very specific positional conditions which could
> (potentially) cause FNs in the future.  I haven't looked at the samples
> responsible for this traffic but if the value of 'ddager' is more than 1
> byte, we'd see misses on the signature.  If all of the samples analyzed
> only have 'ddager' as accepting a 1 byte value, then I'd say it's fine.
>
> Also going to give a Suricata 5.0 push here with the translated signature:
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork
> APT C2 Communication Detected"; flow:established,to_server;
> content:"ddager="; http_client_body; startswith; fast_pattern;
> content:"|26|r1="; http_client_body; distance:1; within:4;
> content:"|26|r2="; http_client_body; distance:0; content:"|26|r3=";
> http_client_body; distance:0; http.method; content:"POST"; http.uri;
> content:"|3F|profile="; classtype:command-and-control; reference:url,
> https://cymmetria.com/research/patchwork-targeted-attack/; metadata:
> protocols http, protocols tcp, malware post-infection, infected src_ip,
> hostile dest_ip, attack_target client, priority high, cwe_id 506; rev: 1;
> sid: 1000001;)
>
>
>    - Category switched from *'TROJAN'* to* 'MALWARE'* to reflect category
>    changes here at ET.
>    - Classtype changed to *'command-and-control'*.
>    - *'http.method;'* sticky buffer used in place of *'http_method;'*.
>    - *'http.uri;'* sticky buffer used in place of *'http_uri;'*.
>    - *'startswith;' *in place of '*depth:7;*'.
>
>
> Thanks again!  I look forward to your future contributions.
>
> On Thu, Oct 31, 2019 at 9:27 AM Tushar Bhatia <tushar1988 at gmail.com>
> wrote:
>
>> Hi
>>
>> During the Suricon Threat Hunting class earlier this week, I wrote the
>> signature below for Cymmetria's Patchwork APT research:
>> https://cymmetria.com/research/patchwork-targeted-attack/ . Travis
>> suggested submitting the rule here. It's my first submission so would
>> welcome any feedback. Thanks!
>>
>> I've added some metadata tags based on BETTER schema docs here:
>> http://better-schema.readthedocs.io/
>>
>>
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN Patchwork
>> APT C2 Communication Detected"; flow: established, to_server; content:
>> "POST"; http_method; content: "|3F|profile="; http_uri; content: "ddager=";
>> http_client_body; depth: 7; content: "|26|r1="; http_client_body; distance:
>> 1; within: 4; content: "|26|r2="; http_client_body; distance: 0; content:
>> "|26|r3="; http_client_body; distance: 0; classtype:trojan-activity;
>> reference:url, https://cymmetria.com/research/patchwork-targeted-attack/;
>> metadata: protocols http, protocols tcp, malware post-infection, infected
>> src_ip, hostile dest_ip, attack_target client, priority high, cwe_id 506;
>> rev: 1; sid: 1000001;)
>>
>> -Tushar Bhatia
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>
> --
> ---------------------------------------
>
> James Emery-Callcott
> Security Researcher | ProofPoint Inc | Emerging Threats Team
>
>
>
>

-- 
---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191031/53dcfc5c/attachment.html>


More information about the Emerging-sigs mailing list