Skip to content

Instantly share code, notes, and snippets.

@fox-srt
fox-srt / citrix-adc-version-hashes.csv
Last active Jan 31, 2023
Citrix ADC & Citrix Gateway version hashes
View citrix-adc-version-hashes.csv
rdx_en_date vhash version
2018-08-25 03:29:12 12.1-49.23
2018-10-16 17:54:20 12.1-49.37
2018-11-28 08:56:26 26df0e65fba681faaeb333058a8b28bf 12.1-50.28
2019-01-18 17:41:34 d3b5c691a4cfcc6769da8dc4e40f511d 12.1-50.31
2019-02-13 06:11:52 1ffe249eccc42133689c145dc37d6372
2019-02-27 09:30:02 995a76005c128f4e89474af12ac0de66 12.1-51.16
2019-03-25 22:37:08 d2bd166fed66cdf035a0778a09fd688c 12.1-51.19
2019-04-19 11:04:22 489cadbd8055b1198c9c7fa9d34921b9
2019-05-13 17:41:47 86b4b2567b05dff896aae46d6e0765bc 13.0-36.27
@fox-srt
fox-srt / log4shell-iocs.md
Last active Dec 15, 2021
Log4Shell Observed Listeners
View log4shell-iocs.md
# IP addresses and domains that have been observed in Log4j exploit attempts
134[.]209[.]26[.]39
199[.]217[.]117[.]92
pwn[.]af
188[.]120[.]246[.]215
kryptoslogic-cve-2021-44228[.]com
nijat[.]space
45[.]33[.]47[.]240
31[.]6[.]19[.]41
@fox-srt
fox-srt / log4shell-success.rules
Last active Apr 8, 2022
Suricata Coverage for Successful Log4Shell Exploitation (CVE-2021-44228)
View log4shell-success.rules
# Detects possible successful exploitation of Log4j
# JNDI LDAP/RMI Request to External
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Exploit - Possible Rogue JNDI LDAP Bind to External Observed (CVE-2021-44228)"; flow:established, to_server; dsize:14; content:"|02 01 03 04 00 80 00|"; offset:7; isdataat:!1, relative; threshold:type limit, track by_src, count 1, seconds 3600; classtype:bad-unknown; priority:1; metadata:created_at 2021-12-11; sid:21003738; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Exploit - Possible Rogue JRMI Request to External Observed (CVE-2021-44228)"; flow:established, to_server; content:"JRMI"; depth:4; threshold:type limit, track by_src, count 1, seconds 3600; classtype:bad-unknown; priority:1; reference:url, https://docs.oracle.com/javase/9/docs/specs/rmi/protocol.html; metadata:created_at 2021-12-11; sid:21003739; rev:1;)
# Detecting inbound java shortly after exploitation attempt
alert tcp any any -> $HOME_NET any (msg: "FOX-SRT - Expl
@fox-srt
fox-srt / log4shell-probes.rules
Created Dec 12, 2021
Suricata Coverage for common Log4Shell Probes (CVE-2021-44228)
View log4shell-probes.rules
# Possible successful interactsh probe
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"FOX-SRT - Webattack - Possible successful InteractSh probe observed"; flow:established, to_client; content:"200"; http_stat_code; content:"<html><head></head><body>"; http_server_body; fast_pattern; pcre:"/[a-z0-9]{30,36}<\/body><\/html>/QR"; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:misc-attack; reference:url, github.com/projectdiscovery/interactsh; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003712; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"FOX-SRT - Suspicious - DNS query for interactsh.com server observed"; flow:stateless; dns_query; content:".interactsh.com"; fast_pattern; pcre:"/[a-z0-9]{30,36}\.interactsh\.com/"; threshold:type limit, track by_src, count 1, seconds 3600; reference:url, github.com/projectdiscovery/interactsh; classtype:bad-unknown; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003713; rev:1;)
# Detecting
@fox-srt
fox-srt / log4shell-hunting.rules
Last active Dec 12, 2021
Suricata Coverage for Log4Shell Hunting (CVE-2021-44228)
View log4shell-hunting.rules
# Outgoing connection after Log4j Exploit Attempt (uses xbit from sid: 21003734) - requires `stream.inline=yes` setting in suricata.yaml for this to work
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Suspicious - Possible outgoing connection after Log4j Exploit Attempt"; flow:established, to_server; xbits:isset, fox.log4shell.attempt, track ip_src; stream_size:client, =, 1; stream_size:server, =, 1; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:bad-unknown; metadata:ids suricata; metadata:created_at 2021-12-12; priority:3; sid:21003740; rev:1;)
# Detects inbound Java class
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "FOX-SRT - Suspicious - Java class inbound"; flow:established, to_client; content: "|CA FE BA BE 00 00 00|"; depth:20; fast_pattern; threshold:type limit, track by_dst, count 1, seconds 43200; metadata:ids suricata; metadata:created_at 2021-12-12; classtype:bad-unknown; priority:3; sid:21003742; rev:2;)
@fox-srt
fox-srt / log4shell-exploitation-attempts.rules
Last active Dec 12, 2021
Suricata Coverage for Log4Shell Exploitation Attempts (CVE-2021-44228)
View log4shell-exploitation-attempts.rules
# Detects Log4j exploitation attempts
alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:ldap://"; fast_pattern:only; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003726; rev:1;)
alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; pcre:"/\$\{jndi\:(rmi|ldaps|dns)\:/"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:
@fox-srt
fox-srt / cobaltstrike-extraspace.rules
Created Feb 26, 2019
IDS Signature to detect the extraneous space in Cobalt Strike < 3.13
View cobaltstrike-extraspace.rules
alert tcp any any -> any any (msg:"FOX-IT - Trojan - Possible CobaltStrike C2 Server"; \
flow:to_client; \
content:"HTTP/1.1 200 OK |0d0a|"; fast_pattern; depth:18; \
content:"Date: "; \
pcre:"/^HTTP/1.1 200 OK \r\nContent-Type: [^\r\n]{0,100}\r\nDate: [^\r\n]{0,100} GMT\r\n(Content-Length: \d+\r\n)\r\n/"; \
threshold:type limit, track by_dst, count 1, seconds 600; \
classtype:trojan-activity; priority:2; \
sid:21002217; rev:3;)
@fox-srt
fox-srt / CVE-2018-0101.rules
Last active Apr 10, 2018
Cisco ASA RCE / CVE-2018-0101 IDS Signatures
View CVE-2018-0101.rules
# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:
alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02|"; distance:1; within:1; fast_pattern; byte_test:4,>,5000,5,relative; byte_test:2,>,5000,11,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,53,relative; byte_test:4,=,fragment_match,137,relative; byte_test:4,=,fragment_match,237,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:5;)
alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)
@fox-srt
fox-srt / mitm6.rules
Created Jan 26, 2018
MITM6 IDS Signatures
View mitm6.rules
# Snort & Suricata signatures for:
# https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6
alert udp fe80::/12 [546,547] -> fe80::/12 [546,547] (msg:"FOX-SRT - Policy - DHCPv6 advertise"; content:"|02|"; offset:48; depth:1; reference:url,blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/; threshold:type limit, track by_src, count 1, seconds 3600; classtype:policy-violation; sid:21002327; rev:2;)
alert udp ::/0 53 -> any any (msg:"FOX-SRT - Suspicious - WPAD DNS reponse over IPv6"; byte_test:1,&,0x7F,2; byte_test:2,>,0,6; content:"|00 04|wpad"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 1800; reference:url,blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/; classtype:attempted-admin; priority:1; sid:21002330; rev:1;)
@fox-srt
fox-srt / decode_shadowpad_dns.py
Last active Apr 30, 2018
Netsarang backdoor DNS payload decrypter
View decode_shadowpad_dns.py
#!/usr/bin/env python
"""
Netsarang backdoor DNS payload decrypter
file: decode_shadowpad_dns.py
author: Fox-IT Security Research Team <srt@fox-it.com>
Usage:
$ cat dns.txt
sajajlyoogrmkllmuoqiyaxlymwlvajdkouhkdyiyolamdjivho.cjpybuhwnjgkhllm.nylalobghyhirgh.com