Created
January 6, 2023 15:45
-
-
Save e3prom/96d64283a62e09e18e469b5e8013f05b to your computer and use it in GitHub Desktop.
Snort/Suricata Additional C2/Post-Exploitation Ruleset
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Snort/Suricata Rules | |
## Provides additional detection of potential post-exploitation attacks, lateral-movements and C2 communication/beaconing. | |
alert http $EXTERNAL_NET any -> $HOME_NET 5985 (msg:"[EP] Windows Remote Management (WinRM)"; flow:established,to_server; content:"POST"; http_method; content:"/wsman"; nocase; pcre:"/\/wsman/"; classtype:policy-violation; sid:9001002; rev:1; metadata:created_at 2022_11_09, updated_at 2022_11_09;) | |
alert http $EXTERNAL_NET any -> $HOME_NET 5985 (msg:"[EP] WinRM Evil Client"; flow:established,to_server; content:"POST"; http_method; content:"Ruby WinRM Client"; nocase; http_user_agent; classtype:misc-attack; sid:9001003; rev:1; metadata:created_at 2022_11_09, updated_at 2022_11_09;) | |
alert tls $EXTERNAL_NET any -> $HOME_NET 5986 (msg:"[EP] Windows Remote Management (WinRM) over TLS"; flow:established,to_server; content:"|1603 01|"; fast_pattern; stream_size: client, >,0; stream_size: server, >,0; classtype:policy-violation; sid:9001004; rev:1; metadata:created_at 2022_11_10, updated_at 2022_11_10;) | |
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[EP] NTLM over HTTP OPTIONS Request"; flow:established,to_server; content:"OPTIONS"; http_method; content:"Authorization\:"; nocase; pcre:"/Authorization\:[^\n].*NTLM.*/"; classtype:misc-attack; sid:9001008; rev:1; metadata:created_at 2022_11_16, updated_at 2022_11_16;) | |
alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[EP] Windows PowerShell Web Client"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n].*WindowsPowerShell.*/"; classtype:policy-violation; sid:9001001; rev:1; metadata:created_at 2022_11_08, updated_at 2022_11_08;) | |
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[EP] PowerShell Empire Beacon"; flow:established,to_server; content:"GET"; http_method; content:"Cookie\:"; nocase; pcre:"/Cookie\:[^\n].*/"; content:"/news.php"; nocase; classtype:misc-attack; sid:9001005; rev:1; metadata:created_at 2022_11_15, updated_at 2022_11_15;) | |
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[EP] PowerShell Empire Payload"; flow:established,to_server; content:"POST"; http_method; content:"Cookie\:"; nocase; pcre:"/Cookie\:[^\n].*/"; content:"/admin/get.php"; nocase; classtype:misc-attack; sid:9001006; rev:1; metadata:created_at 2022_11_15, updated_at 2022_11_15;) | |
#alert udp $HOME_NET 5353 -> any 5353 (msg:"[EP] Multicast DNS Query Response"; content:"|0000 8400|"; offset:0; depth:4; fast_pattern; classtype:policy-violation; sid:9001007; rev:1; metadata:created_at 2022_11_16, updated_at 2022_11_16;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment