[Emerging-Sigs] New C2 Framework NorthStar Rules

Jason Taylor jastaylor at emergingthreats.net
Tue May 19 08:34:26 HDT 2020


Hi Hasan!

I just wanted to follow up and let you know that these are the rules
that we put in for QA and will go out with the rule push today.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
NORTHSTAR Client CnC Checkin"; flow:established,to_server;
http.method; content:"GET"; http.uri; content:"/smanage.php?sid=";
startswith; fast_pattern;
pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R";
http.header_names; content:!"Referer"; content:!"User-Agent";
reference:url,github.com/EnginDemirbilek/NorthStarC2/;
classtype:command-and-control; sid:11; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
NORTHSTAR Client Data POST"; flow:established,to_server; http.method;
content:"POST"; http.uri; content:"/getjuice.php"; bsize:13;
fast_pattern; http.content_type; content:"multipart/form-data|3b|
boundary=---------------------"; startswith; http.header; content:"|0d
0a|Expect|3a 20|100-continue|0d 0a|"; http.header_names;
content:!"Referer"; content:!"User-Agent";
reference:url,github.com/EnginDemirbilek/NorthStarC2/;
classtype:trojan-activity; sid:12; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
NORTHSTAR Interactive Client CnC"; flow:established,to_server;
http.method; content:"GET"; http.uri; content:"/interact.php?slave=";
startswith; fast_pattern; content:"&sid="; distance:0;
pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R";
http.referer; content:"clients.php"; endswith;
reference:url,github.com/EnginDemirbilek/NorthStarC2/;
classtype:command-and-control; sid:13; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
NORTHSTAR Command Sent to Client"; flow:established,to_server;
http.method; content:"POST"; http.uri;
content:"setCommand.nonfunction.php"; fast_pattern; endswith;
http.referer; content:"interact.php?slave="; content:"&sid=";
distance:0; http.request_body; content:"slave="; startswith;
content:"&command="; distance:0; content:"&sid="; distance:0;
content:"&token="; distance:0;
reference:url,github.com/EnginDemirbilek/NorthStarC2/;
classtype:command-and-control; sid:14; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
NORTHSTAR Command Response"; flow:established,to_server; http.method;
content:"GET"; http.uri; content:"/getresponse.php?slave=";
startswith; fast_pattern;
pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R";
http.referer; content:"interact.php?slave="; content:"&sid=";
distance:0; reference:url,github.com/EnginDemirbilek/NorthStarC2/;
classtype:command-and-control; sid:15; rev:1;)

We basically just updated the signatures you sent over for Suricata
keywords (there are Snort versions of each of these rules as well I
just picked the Suricata 5.x versions). We also found additional
signature opportunities in the pcap you sent over so we added those
rules. We also made some minor performance related tweaks so these
will run well across all the Suricata/Snort engines.

This was great work, thank you very much for submitting!

We always appreciate rule and pcap submissions, as always feel free to
send any questions about signatures/pcap/etc. and we will do our best
to answer them!

JT

On Tue, May 19, 2020 at 7:12 AM Jason Taylor
<jastaylor at emergingthreats.net> wrote:
>
> Hi Hasan!
>
> Thank you for the submission. We will take a look and get something
> into QA for today.
>
> JT
>
> On Mon, May 18, 2020 at 8:22 PM hasan ekin dumanogullari
> <ekinduman73 at gmail.com> wrote:
> >
> > Greetings!
> >
> > A friend of mine recently released a new open-source command & control framework named "NorthStar", so i wanted to be the first one to submit new rules :)
> >
> > These rules should be enough for hunting default installations of NorthStar C2
> > You can learn more about the architecture here :
> > https://github.com/EnginDemirbilek/NorthStarC2/wiki/Architecture
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise, NorthStar C2 Connection"; flow:established,to_server; content"POST"; http_method; content:"/getjuice.php"; http_uri classtype:trojan-activity; $id;x; rev:1;}
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET any {msg:"Possible Compromise, NorthStar C2 Connection"; flow:established,to_server; content"POST"; http_method; content:"/smanage.php"; http_uri classtype:trojan-activity; $id;100000001; rev:1;}
> >
> > When the stager receives commands from the server it returns output to http://c2server/smanage.php
> >
> > If that command is downloading a file from the compromised machine, then a POST request is made to http://c2server/getjuice.php
> >
> >
> > Also pcap included where
> > NorthStar C2 only communicates via HTTP or HTTPS so i strongly suggest using http.request fiter on wireshark
> >
> > 192.168.0.24 -> C2 Machine
> > 192.168.0.26 -> Victim computer
> >
> > This is my first time submitting so sorry for the issues :)
> >
> > Author : Hasan Ekin Dumano─čullar─▒
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at lists.emergingthreats.net
> > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
> >


More information about the Emerging-sigs mailing list