Skip to content

Instantly share code, notes, and snippets.

Avatar

Security Research Team fox-srt

51 followers · 0 following · 1
View GitHub Profile
@fox-srt
fox-srt / cobaltstrike-extraspace.rules
Created Feb 26, 2019
IDS Signature to detect the extraneous space in Cobalt Strike < 3.13
View cobaltstrike-extraspace.rules
alert tcp any any -> any any (msg:"FOX-IT - Trojan - Possible CobaltStrike C2 Server"; \
flow:to_client; \
content:"HTTP/1.1 200 OK |0d0a|"; fast_pattern; depth:18; \
content:"Date: "; \
pcre:"/^HTTP/1.1 200 OK \r\nContent-Type: [^\r\n]{0,100}\r\nDate: [^\r\n]{0,100} GMT\r\n(Content-Length: \d+\r\n)\r\n/"; \
threshold:type limit, track by_dst, count 1, seconds 600; \
classtype:trojan-activity; priority:2; \
sid:21002217; rev:3;)
@fox-srt
fox-srt / CVE-2018-0101.rules
Last active Apr 10, 2018
Cisco ASA RCE / CVE-2018-0101 IDS Signatures
View CVE-2018-0101.rules
# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:
alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02|"; distance:1; within:1; fast_pattern; byte_test:4,>,5000,5,relative; byte_test:2,>,5000,11,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,53,relative; byte_test:4,=,fragment_match,137,relative; byte_test:4,=,fragment_match,237,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:5;)
alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)
@fox-srt
fox-srt / mitm6.rules
Created Jan 26, 2018
MITM6 IDS Signatures
View mitm6.rules
# Snort & Suricata signatures for:
# https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6
alert udp fe80::/12 [546,547] -> fe80::/12 [546,547] (msg:"FOX-SRT - Policy - DHCPv6 advertise"; content:"|02|"; offset:48; depth:1; reference:url,blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/; threshold:type limit, track by_src, count 1, seconds 3600; classtype:policy-violation; sid:21002327; rev:2;)
alert udp ::/0 53 -> any any (msg:"FOX-SRT - Suspicious - WPAD DNS reponse over IPv6"; byte_test:1,&,0x7F,2; byte_test:2,>,0,6; content:"|00 04|wpad"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 1800; reference:url,blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/; classtype:attempted-admin; priority:1; sid:21002330; rev:1;)
@fox-srt
fox-srt / decode_shadowpad_dns.py
Last active Apr 30, 2018
Netsarang backdoor DNS payload decrypter
View decode_shadowpad_dns.py
#!/usr/bin/env python
"""
Netsarang backdoor DNS payload decrypter
file: decode_shadowpad_dns.py
author: Fox-IT Security Research Team <srt@fox-it.com>
Usage:
$ cat dns.txt
sajajlyoogrmkllmuoqiyaxlymwlvajdkouhkdyiyolamdjivho.cjpybuhwnjgkhllm.nylalobghyhirgh.com
@fox-srt
fox-srt / fox-ticketbleed.rules
Last active Feb 17, 2017
IDS Coverage for Ticketbleed
View fox-ticketbleed.rules
# IDS Signatures to detect Ticketbleed (CVE-2016-9244)
# https://blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244/
alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"FOX-SRT - Flowbit - TLS session resumption < 32 byte session id (noalert)"; flow:established,to_server; content:"|1603|"; depth:2; content:"|01|"; distance:3; within:1; byte_test:3,<,3000,0,relative; content:"|03|"; distance:3; within:1; byte_test:1,<,32,33,relative; byte_test:1,>,0,33,relative; flowbits:set,fox.ticketbleed.session; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 600; classtype:attempted-recon; reference:cve,2016-9244; reference:url,https://ticketbleed.com; reference:url,blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244; sid:21002061; rev:6;)
alert tcp $HOME_NET [$HTTP_PORTS,443] -> $EXTERNAL_NET any (msg:"FOX-SRT - Vulnerability - Possible Succesful F5 Big-IP TLS Ticketbleed"; flow:established,to_client; flowbits:isset,fox.ticketbleed.session; content:"|1603|"; dep
@fox-srt
fox-srt / tr-069-soap-rce.rules
Last active Apr 30, 2018
Snort coverage for TR-069 SOAP RCE
View tr-069-soap-rce.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET 7547 (msg:"FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit incoming"; flow:established,to_server; content:"POST"; depth:4; content:"/UD/act?1"; content:"urn:dslforum-org:service:Time:1#SetNTPServers"; threshold: type limit, track by_dst, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 7547 (msg:"FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit outgoing"; flow:established,to_server; content:"POST"; depth:4; content:"/UD/act?1"; content:"urn:dslforum-org:service:Time:1#SetNTPServers"; threshold: type limit, track by_src, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:2; rev:1;)
@fox-srt
fox-srt / skorianial.com.pem
Created Jun 7, 2016
x509 cert of skorianial.com:443 / 107.181.187.182:443
View skorianial.com.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b3:41:c8:fd:5c:fa:8f:a5
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=XX, ST=1, L=1, O=1, OU=1, CN=107.181.187.182/emailAddress=box@example.com
Validity
Not Before: Jun 4 10:15:01 2016 GMT
Not After : Jun 4 10:15:01 2017 GMT
@fox-srt
fox-srt / juniper-cve-2015-7755.rules
Last active Aug 23, 2016
Snort coverage for Juniper ScreenOS backdoor
View juniper-cve-2015-7755.rules
# Signatures to detect successful abuse of the Juniper backdoor password over telnet.
# Additionally a signature for detecting world reachable ScreenOS devices over SSH.
alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Flowbit - Juniper ScreenOS telnet (noalert)"; flow:established,to_client; content:"Remote Management Console|0d0a|"; offset:0; depth:27; flowbits:set,fox.juniper.screenos; flowbits:noalert; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; sid:21001729; rev:2;)
alert tcp any any -> $HOME_NET 23 (msg:"FOX-SRT - Backdoor - Juniper ScreenOS telnet backdoor password attempt"; flow:established,to_server; flowbits:isset,fox.juniper.screenos; flowbits:set,fox.juniper.screenos.password; content:"|3c3c3c20257328756e3d2725732729203d202575|"; offset:0; fast_pattern; classtype:attempted-admin; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; sid:21001730; rev:2;)
alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Backdoor - Juniper Scr
@fox-srt
fox-srt / fox-srt-mwi.rules
Last active Apr 11, 2017
Snort coverage for Microsoft Word Intruder
View fox-srt-mwi.rules
# Signatures for detecting Microsoft Word Intruder
# https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FOX-SRT - Trojan - Microsoft Word Intruder payload request"; content:"GET"; depth:3; flowbits:set,mwi; content:!"Referer|3a| "; content:!"Cookie|3a| "; uricontent:"&act=1"; fast_pattern: only; pcre:"/\/webstat\/image\.php\?id=[0-9]{8}/"; threshold: type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; reference:url,https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; sid:21001609; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FOX-SRT - Trojan - Microsoft Word Intruder payload response"; flowbits:isset,mwi; content:"Content-Type|3a| application/octet-stream"; content:"Content-Description|3a| File Transfer"; pcre:"/filename=[0-9]{8}\.exe/"; threshold: type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; reference:url,https://www.fir