[Emerging-Sigs] New C2 Framework NorthStar Rules

hasan ekin dumanogullari ekinduman73 at gmail.com
Mon May 18 15:22:01 HDT 2020


Greetings!

A friend of mine recently released a new open-source command & control
framework named "NorthStar", so i wanted to be the first one to submit new
rules :)

These rules should be enough for hunting default installations of NorthStar
C2
You can learn more about the architecture here :
https://github.com/EnginDemirbilek/NorthStarC2/wiki/Architecture

alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise,
NorthStar C2 Connection"; flow:established,to_server; content"POST";
http_method; content:"/getjuice.php"; http_uri classtype:trojan-activity;
$id;x; rev:1;}

alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise,
NorthStar C2 Connection"; flow:established,to_server; content"POST";
http_method; content:"/smanage.php"; http_uri classtype:trojan-activity;
$id;100000001; rev:1;}

When the stager receives commands from the server it returns output to
http://c2server/smanage.php

If that command is downloading a file from the compromised machine, then a
POST request is made to http://c2server/getjuice.php


Also pcap included where
NorthStar C2 only communicates via HTTP or HTTPS so i strongly suggest
using http.request fiter on wireshark

192.168.0.24 -> C2 Machine
192.168.0.26 -> Victim computer

This is my first time submitting so sorry for the issues :)

Author : Hasan Ekin Dumano─čullar─▒
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200519/6d935b95/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: northc2.pcap
Type: application/octet-stream
Size: 361845 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200519/6d935b95/attachment-0001.obj>


More information about the Emerging-sigs mailing list