[Emerging-Sigs] New C2 Framework NorthStar Rules

Jason Taylor jastaylor at emergingthreats.net
Tue May 19 02:12:55 HDT 2020


Hi Hasan!

Thank you for the submission. We will take a look and get something
into QA for today.

JT

On Mon, May 18, 2020 at 8:22 PM hasan ekin dumanogullari
<ekinduman73 at gmail.com> wrote:
>
> Greetings!
>
> A friend of mine recently released a new open-source command & control framework named "NorthStar", so i wanted to be the first one to submit new rules :)
>
> These rules should be enough for hunting default installations of NorthStar C2
> You can learn more about the architecture here :
> https://github.com/EnginDemirbilek/NorthStarC2/wiki/Architecture
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise, NorthStar C2 Connection"; flow:established,to_server; content"POST"; http_method; content:"/getjuice.php"; http_uri classtype:trojan-activity; $id;x; rev:1;}
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise, NorthStar C2 Connection"; flow:established,to_server; content"POST"; http_method; content:"/smanage.php"; http_uri classtype:trojan-activity; $id;100000001; rev:1;}
>
> When the stager receives commands from the server it returns output to http://c2server/smanage.php
>
> If that command is downloading a file from the compromised machine, then a POST request is made to http://c2server/getjuice.php
>
>
> Also pcap included where
> NorthStar C2 only communicates via HTTP or HTTPS so i strongly suggest using http.request fiter on wireshark
>
> 192.168.0.24 -> C2 Machine
> 192.168.0.26 -> Victim computer
>
> This is my first time submitting so sorry for the issues :)
>
> Author : Hasan Ekin Dumano─čullar─▒
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>


More information about the Emerging-sigs mailing list