Security Research Team fox-srt

## citrix-adc-version-hashes.csv

          
            rdx_en_date
            vhash
            version

            
              2018-08-25 03:29:12
              
              12.1-49.23

            
              2018-10-16 17:54:20
              
              12.1-49.37

            
              2018-11-28 08:56:26
              26df0e65fba681faaeb333058a8b28bf
              12.1-50.28

            
              2019-01-18 17:41:34
              d3b5c691a4cfcc6769da8dc4e40f511d
              12.1-50.31

            
              2019-02-13 06:11:52
              1ffe249eccc42133689c145dc37d6372

            
              2019-02-27 09:30:02
              995a76005c128f4e89474af12ac0de66
              12.1-51.16

            
              2019-03-25 22:37:08
              d2bd166fed66cdf035a0778a09fd688c
              12.1-51.19

            
              2019-04-19 11:04:22
              489cadbd8055b1198c9c7fa9d34921b9

            
              2019-05-13 17:41:47
              86b4b2567b05dff896aae46d6e0765bc
              13.0-36.27

## log4shell-iocs.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                fox-srt
                / log4shell-iocs.md
            
            
              Last active Dec 15, 2021
            
              
                Log4Shell Observed Listeners
              
          
      View log4shell-iocs.md
  
      
    # IP addresses and domains that have been observed in Log4j exploit attempts
134[.]209[.]26[.]39
199[.]217[.]117[.]92
pwn[.]af
188[.]120[.]246[.]215
kryptoslogic-cve-2021-44228[.]com
nijat[.]space
45[.]33[.]47[.]240
31[.]6[.]19[.]41


## log4shell-success.rules
# Detects possible successful exploitation of Log4j
# JNDI LDAP/RMI Request to External
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Exploit - Possible Rogue JNDI LDAP Bind to External Observed (CVE-2021-44228)"; flow:established, to_server; dsize:14; content:"|02 01 03 04 00 80 00|"; offset:7; isdataat:!1, relative; threshold:type limit, track by_src, count 1, seconds 3600; classtype:bad-unknown; priority:1; metadata:created_at 2021-12-11; sid:21003738; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Exploit - Possible Rogue JRMI Request to External Observed (CVE-2021-44228)"; flow:established, to_server; content:"JRMI"; depth:4; threshold:type limit, track by_src, count 1, seconds 3600; classtype:bad-unknown; priority:1; reference:url, https://docs.oracle.com/javase/9/docs/specs/rmi/protocol.html; metadata:created_at 2021-12-11; sid:21003739; rev:1;)

# Detecting inbound java shortly after exploitation attempt
alert tcp any any -> $HOME_NET any (msg: "FOX-SRT - Expl

## log4shell-probes.rules
# Possible successful interactsh probe
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"FOX-SRT - Webattack - Possible successful InteractSh probe observed"; flow:established, to_client; content:"200"; http_stat_code; content:"<html><head></head><body>"; http_server_body; fast_pattern; pcre:"/[a-z0-9]{30,36}<\/body><\/html>/QR"; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:misc-attack; reference:url, github.com/projectdiscovery/interactsh; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003712; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"FOX-SRT - Suspicious - DNS query for interactsh.com server observed"; flow:stateless; dns_query; content:".interactsh.com"; fast_pattern; pcre:"/[a-z0-9]{30,36}\.interactsh\.com/"; threshold:type limit, track by_src, count 1, seconds 3600; reference:url, github.com/projectdiscovery/interactsh; classtype:bad-unknown; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003713; rev:1;)

# Detecting

## log4shell-hunting.rules
# Outgoing connection after Log4j Exploit Attempt (uses xbit from sid: 21003734) - requires `stream.inline=yes` setting in suricata.yaml for this to work
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Suspicious - Possible outgoing connection after Log4j Exploit Attempt"; flow:established, to_server; xbits:isset, fox.log4shell.attempt, track ip_src; stream_size:client, =, 1; stream_size:server, =, 1; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:bad-unknown; metadata:ids suricata; metadata:created_at 2021-12-12; priority:3; sid:21003740; rev:1;)

# Detects inbound Java class
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "FOX-SRT - Suspicious - Java class inbound"; flow:established, to_client; content: "|CA FE BA BE 00 00 00|"; depth:20; fast_pattern; threshold:type limit, track by_dst, count 1, seconds 43200; metadata:ids suricata; metadata:created_at 2021-12-12; classtype:bad-unknown; priority:3; sid:21003742; rev:2;)

## log4shell-exploitation-attempts.rules
# Detects Log4j exploitation attempts
alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:ldap://"; fast_pattern:only; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003726; rev:1;)

alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; pcre:"/\$\{jndi\:(rmi|ldaps|dns)\:/"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:

## cobaltstrike-extraspace.rules
alert tcp any any -> any any (msg:"FOX-IT - Trojan - Possible CobaltStrike C2 Server"; \
    flow:to_client; \
    content:"HTTP/1.1 200 OK |0d0a|"; fast_pattern; depth:18; \
    content:"Date: "; \
    pcre:"/^HTTP/1.1 200 OK \r\nContent-Type: [^\r\n]{0,100}\r\nDate: [^\r\n]{0,100} GMT\r\n(Content-Length: \d+\r\n)\r\n/"; \
    threshold:type limit, track by_dst, count 1, seconds 600; \
    classtype:trojan-activity; priority:2; \
    sid:21002217; rev:3;)

## CVE-2018-0101.rules
# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:
alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02|"; distance:1; within:1; fast_pattern; byte_test:4,>,5000,5,relative; byte_test:2,>,5000,11,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,53,relative; byte_test:4,=,fragment_match,137,relative; byte_test:4,=,fragment_match,237,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:5;)
alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)

## mitm6.rules
# Snort & Suricata signatures for:
# https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6

alert udp fe80::/12 [546,547] -> fe80::/12 [546,547] (msg:"FOX-SRT - Policy - DHCPv6 advertise"; content:"|02|"; offset:48; depth:1; reference:url,blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/; threshold:type limit, track by_src, count 1, seconds 3600; classtype:policy-violation; sid:21002327; rev:2;)
alert udp ::/0 53 -> any any (msg:"FOX-SRT - Suspicious - WPAD DNS reponse over IPv6"; byte_test:1,&,0x7F,2; byte_test:2,>,0,6; content:"|00 04|wpad"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 1800; reference:url,blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/; classtype:attempted-admin; priority:1; sid:21002330; rev:1;)

## decode_shadowpad_dns.py
#!/usr/bin/env python
"""
Netsarang backdoor DNS payload decrypter

file:     decode_shadowpad_dns.py
author:   Fox-IT Security Research Team <srt@fox-it.com>

 Usage:
   $ cat dns.txt
   sajajlyoogrmkllmuoqiyaxlymwlvajdkouhkdyiyolamdjivho.cjpybuhwnjgkhllm.nylalobghyhirgh.com
rdx_en_date	vhash	version
2018-08-25 03:29:12		12.1-49.23
2018-10-16 17:54:20		12.1-49.37
2018-11-28 08:56:26	26df0e65fba681faaeb333058a8b28bf	12.1-50.28
2019-01-18 17:41:34	d3b5c691a4cfcc6769da8dc4e40f511d	12.1-50.31
2019-02-13 06:11:52	1ffe249eccc42133689c145dc37d6372
2019-02-27 09:30:02	995a76005c128f4e89474af12ac0de66	12.1-51.16
2019-03-25 22:37:08	d2bd166fed66cdf035a0778a09fd688c	12.1-51.19
2019-04-19 11:04:22	489cadbd8055b1198c9c7fa9d34921b9
2019-05-13 17:41:47	86b4b2567b05dff896aae46d6e0765bc	13.0-36.27
	# Detects possible successful exploitation of Log4j
	# JNDI LDAP/RMI Request to External
	alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Exploit - Possible Rogue JNDI LDAP Bind to External Observed (CVE-2021-44228)"; flow:established, to_server; dsize:14; content:"\|02 01 03 04 00 80 00\|"; offset:7; isdataat:!1, relative; threshold:type limit, track by_src, count 1, seconds 3600; classtype:bad-unknown; priority:1; metadata:created_at 2021-12-11; sid:21003738; rev:2;)
	alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Exploit - Possible Rogue JRMI Request to External Observed (CVE-2021-44228)"; flow:established, to_server; content:"JRMI"; depth:4; threshold:type limit, track by_src, count 1, seconds 3600; classtype:bad-unknown; priority:1; reference:url, https://docs.oracle.com/javase/9/docs/specs/rmi/protocol.html; metadata:created_at 2021-12-11; sid:21003739; rev:1;)

	# Detecting inbound java shortly after exploitation attempt
	alert tcp any any -> $HOME_NET any (msg: "FOX-SRT - Expl
	# Possible successful interactsh probe
	alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"FOX-SRT - Webattack - Possible successful InteractSh probe observed"; flow:established, to_client; content:"200"; http_stat_code; content:"<html><head></head><body>"; http_server_body; fast_pattern; pcre:"/[a-z0-9]{30,36}<\/body><\/html>/QR"; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:misc-attack; reference:url, github.com/projectdiscovery/interactsh; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003712; rev:1;)
	alert dns $HOME_NET any -> any 53 (msg:"FOX-SRT - Suspicious - DNS query for interactsh.com server observed"; flow:stateless; dns_query; content:".interactsh.com"; fast_pattern; pcre:"/[a-z0-9]{30,36}\.interactsh\.com/"; threshold:type limit, track by_src, count 1, seconds 3600; reference:url, github.com/projectdiscovery/interactsh; classtype:bad-unknown; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003713; rev:1;)

	# Detecting
	# Outgoing connection after Log4j Exploit Attempt (uses xbit from sid: 21003734) - requires `stream.inline=yes` setting in suricata.yaml for this to work
	alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Suspicious - Possible outgoing connection after Log4j Exploit Attempt"; flow:established, to_server; xbits:isset, fox.log4shell.attempt, track ip_src; stream_size:client, =, 1; stream_size:server, =, 1; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:bad-unknown; metadata:ids suricata; metadata:created_at 2021-12-12; priority:3; sid:21003740; rev:1;)

	# Detects inbound Java class
	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "FOX-SRT - Suspicious - Java class inbound"; flow:established, to_client; content: "\|CA FE BA BE 00 00 00\|"; depth:20; fast_pattern; threshold:type limit, track by_dst, count 1, seconds 43200; metadata:ids suricata; metadata:created_at 2021-12-12; classtype:bad-unknown; priority:3; sid:21003742; rev:2;)
	# Detects Log4j exploitation attempts
	alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:ldap://"; fast_pattern:only; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003726; rev:1;)

	alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; pcre:"/\$\{jndi\:(rmi\|ldaps\|dns)\:/"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:
	alert tcp any any -> any any (msg:"FOX-IT - Trojan - Possible CobaltStrike C2 Server"; \
	flow:to_client; \
	content:"HTTP/1.1 200 OK \|0d0a\|"; fast_pattern; depth:18; \
	content:"Date: "; \
	pcre:"/^HTTP/1.1 200 OK \r\nContent-Type: [^\r\n]{0,100}\r\nDate: [^\r\n]{0,100} GMT\r\n(Content-Length: \d+\r\n)\r\n/"; \
	threshold:type limit, track by_dst, count 1, seconds 600; \
	classtype:trojan-activity; priority:2; \
	sid:21002217; rev:3;)
	# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:
	alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"\|84\|"; offset:16; depth:1; content:"\|02\|"; distance:1; within:1; fast_pattern; byte_test:4,>,5000,5,relative; byte_test:2,>,5000,11,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,53,relative; byte_test:4,=,fragment_match,137,relative; byte_test:4,=,fragment_match,237,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:5;)
	alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)
	# Snort & Suricata signatures for:
	# https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6

	alert udp fe80::/12 [546,547] -> fe80::/12 [546,547] (msg:"FOX-SRT - Policy - DHCPv6 advertise"; content:"\|02\|"; offset:48; depth:1; reference:url,blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/; threshold:type limit, track by_src, count 1, seconds 3600; classtype:policy-violation; sid:21002327; rev:2;)
	alert udp ::/0 53 -> any any (msg:"FOX-SRT - Suspicious - WPAD DNS reponse over IPv6"; byte_test:1,&,0x7F,2; byte_test:2,>,0,6; content:"\|00 04\|wpad"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 1800; reference:url,blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/; classtype:attempted-admin; priority:1; sid:21002330; rev:1;)
	#!/usr/bin/env python
	"""
	Netsarang backdoor DNS payload decrypter

	file: decode_shadowpad_dns.py
	author: Fox-IT Security Research Team <srt@fox-it.com>

	Usage:
	$ cat dns.txt
	sajajlyoogrmkllmuoqiyaxlymwlvajdkouhkdyiyolamdjivho.cjpybuhwnjgkhllm.nylalobghyhirgh.com