e3prom/ep-postexpl-c2.rules

## ep-postexpl-c2.rules
## Snort/Suricata Rules
## Provides additional detection of potential post-exploitation attacks, lateral-movements and C2 communication/beaconing.
alert http $EXTERNAL_NET any -> $HOME_NET 5985 (msg:"[EP] Windows Remote Management (WinRM)"; flow:established,to_server; content:"POST"; http_method; content:"/wsman"; nocase; pcre:"/\/wsman/"; classtype:policy-violation; sid:9001002; rev:1; metadata:created_at 2022_11_09, updated_at 2022_11_09;)
alert http $EXTERNAL_NET any -> $HOME_NET 5985 (msg:"[EP] WinRM Evil Client"; flow:established,to_server; content:"POST"; http_method; content:"Ruby WinRM Client"; nocase; http_user_agent; classtype:misc-attack; sid:9001003; rev:1; metadata:created_at 2022_11_09, updated_at 2022_11_09;)
alert tls $EXTERNAL_NET any -> $HOME_NET 5986 (msg:"[EP] Windows Remote Management (WinRM) over TLS"; flow:established,to_server; content:"|1603 01|"; fast_pattern; stream_size: client, >,0; stream_size: server, >,0; classtype:policy-violation; sid:9001004; rev:1; metadata:created_at 2022_11_10, updated_at 2022_11_10;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[EP] NTLM over HTTP OPTIONS Request"; flow:established,to_server; content:"OPTIONS"; http_method; content:"Authorization\:"; nocase; pcre:"/Authorization\:[^\n].*NTLM.*/"; classtype:misc-attack; sid:9001008; rev:1; metadata:created_at 2022_11_16, updated_at 2022_11_16;)
alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[EP] Windows PowerShell Web Client"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n].*WindowsPowerShell.*/"; classtype:policy-violation; sid:9001001; rev:1; metadata:created_at 2022_11_08, updated_at 2022_11_08;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[EP] PowerShell Empire Beacon"; flow:established,to_server; content:"GET"; http_method; content:"Cookie\:"; nocase; pcre:"/Cookie\:[^\n].*/"; content:"/news.php"; nocase; classtype:misc-attack; sid:9001005; rev:1; metadata:created_at 2022_11_15, updated_at 2022_11_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[EP] PowerShell Empire Payload"; flow:established,to_server; content:"POST"; http_method; content:"Cookie\:"; nocase; pcre:"/Cookie\:[^\n].*/"; content:"/admin/get.php"; nocase; classtype:misc-attack; sid:9001006; rev:1; metadata:created_at 2022_11_15, updated_at 2022_11_15;)
#alert udp $HOME_NET 5353 -> any 5353 (msg:"[EP] Multicast DNS Query Response"; content:"|0000 8400|"; offset:0; depth:4; fast_pattern; classtype:policy-violation; sid:9001007; rev:1; metadata:created_at 2022_11_16, updated_at 2022_11_16;)
	## Snort/Suricata Rules
	## Provides additional detection of potential post-exploitation attacks, lateral-movements and C2 communication/beaconing.
	alert http $EXTERNAL_NET any -> $HOME_NET 5985 (msg:"[EP] Windows Remote Management (WinRM)"; flow:established,to_server; content:"POST"; http_method; content:"/wsman"; nocase; pcre:"/\/wsman/"; classtype:policy-violation; sid:9001002; rev:1; metadata:created_at 2022_11_09, updated_at 2022_11_09;)
	alert http $EXTERNAL_NET any -> $HOME_NET 5985 (msg:"[EP] WinRM Evil Client"; flow:established,to_server; content:"POST"; http_method; content:"Ruby WinRM Client"; nocase; http_user_agent; classtype:misc-attack; sid:9001003; rev:1; metadata:created_at 2022_11_09, updated_at 2022_11_09;)
	alert tls $EXTERNAL_NET any -> $HOME_NET 5986 (msg:"[EP] Windows Remote Management (WinRM) over TLS"; flow:established,to_server; content:"\|1603 01\|"; fast_pattern; stream_size: client, >,0; stream_size: server, >,0; classtype:policy-violation; sid:9001004; rev:1; metadata:created_at 2022_11_10, updated_at 2022_11_10;)
	alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[EP] NTLM over HTTP OPTIONS Request"; flow:established,to_server; content:"OPTIONS"; http_method; content:"Authorization\:"; nocase; pcre:"/Authorization\:[^\n].NTLM./"; classtype:misc-attack; sid:9001008; rev:1; metadata:created_at 2022_11_16, updated_at 2022_11_16;)
	alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[EP] Windows PowerShell Web Client"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n].WindowsPowerShell./"; classtype:policy-violation; sid:9001001; rev:1; metadata:created_at 2022_11_08, updated_at 2022_11_08;)
	alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[EP] PowerShell Empire Beacon"; flow:established,to_server; content:"GET"; http_method; content:"Cookie\:"; nocase; pcre:"/Cookie\:[^\n].*/"; content:"/news.php"; nocase; classtype:misc-attack; sid:9001005; rev:1; metadata:created_at 2022_11_15, updated_at 2022_11_15;)
	alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[EP] PowerShell Empire Payload"; flow:established,to_server; content:"POST"; http_method; content:"Cookie\:"; nocase; pcre:"/Cookie\:[^\n].*/"; content:"/admin/get.php"; nocase; classtype:misc-attack; sid:9001006; rev:1; metadata:created_at 2022_11_15, updated_at 2022_11_15;)
	#alert udp $HOME_NET 5353 -> any 5353 (msg:"[EP] Multicast DNS Query Response"; content:"\|0000 8400\|"; offset:0; depth:4; fast_pattern; classtype:policy-violation; sid:9001007; rev:1; metadata:created_at 2022_11_16, updated_at 2022_11_16;)