[Emerging-Sigs] PowDesk Signature

Jason Williams jwilliams at emergingthreats.net
Fri Jan 10 09:12:27 HST 2020


Thanks Travis!

Will make sure this gets in QA for today.

On Thu, Jan 9, 2020 at 4:41 PM Travis Green via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:

> Hey all, I was reading the excellent report by ClearSky on APT34's
> tool used to attack LANDesk users, and I noticed the HTTP patterns in
> the c2 would make a fairly simple and effective signature:
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"401TRG TROJAN
> PS/PowDesk Checkin (APT34)"; flow:to_server,established;
> content:".php?devicename="; http_uri; fast_pattern;
> content:"&result="; http_uri;
>
> pcre:"/(?:Sucessful|Failed|Missing\x20CBA8|Missing\x20LANDesk\x20Agent)$/RU";
> reference:url,www.clearskysec.com/powdesk-apt34/;
> reference:md5,2de2e528991ac2d85aa8f12fce5351ad;
> classtype:trojan-activity; sid:7703963; rev:1;)
>
> more at https://www.clearskysec.com/powdesk-apt34/
>
> Cheers,
> -Travis
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200110/8eec4883/attachment.html>


More information about the Emerging-sigs mailing list