[Emerging-Sigs] PowDesk Signature

Travis Green travis.green at protectwise.com
Thu Jan 9 13:41:08 HST 2020


Hey all, I was reading the excellent report by ClearSky on APT34's
tool used to attack LANDesk users, and I noticed the HTTP patterns in
the c2 would make a fairly simple and effective signature:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"401TRG TROJAN
PS/PowDesk Checkin (APT34)"; flow:to_server,established;
content:".php?devicename="; http_uri; fast_pattern;
content:"&result="; http_uri;
pcre:"/(?:Sucessful|Failed|Missing\x20CBA8|Missing\x20LANDesk\x20Agent)$/RU";
reference:url,www.clearskysec.com/powdesk-apt34/;
reference:md5,2de2e528991ac2d85aa8f12fce5351ad;
classtype:trojan-activity; sid:7703963; rev:1;)

more at https://www.clearskysec.com/powdesk-apt34/

Cheers,
-Travis


More information about the Emerging-sigs mailing list