This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Possible successful interactsh probe | |
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"FOX-SRT - Webattack - Possible successful InteractSh probe observed"; flow:established, to_client; content:"200"; http_stat_code; content:"<html><head></head><body>"; http_server_body; fast_pattern; pcre:"/[a-z0-9]{30,36}<\/body><\/html>/QR"; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:misc-attack; reference:url, github.com/projectdiscovery/interactsh; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003712; rev:1;) | |
alert dns $HOME_NET any -> any 53 (msg:"FOX-SRT - Suspicious - DNS query for interactsh.com server observed"; flow:stateless; dns_query; content:".interactsh.com"; fast_pattern; pcre:"/[a-z0-9]{30,36}\.interactsh\.com/"; threshold:type limit, track by_src, count 1, seconds 3600; reference:url, github.com/projectdiscovery/interactsh; classtype:bad-unknown; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003713; rev:1;) | |
# Detecting |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Snort & Suricata signatures for: | |
# https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6 | |
alert udp fe80::/12 [546,547] -> fe80::/12 [546,547] (msg:"FOX-SRT - Policy - DHCPv6 advertise"; content:"|02|"; offset:48; depth:1; reference:url,blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/; threshold:type limit, track by_src, count 1, seconds 3600; classtype:policy-violation; sid:21002327; rev:2;) | |
alert udp ::/0 53 -> any any (msg:"FOX-SRT - Suspicious - WPAD DNS reponse over IPv6"; byte_test:1,&,0x7F,2; byte_test:2,>,0,6; content:"|00 04|wpad"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 1800; reference:url,blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/; classtype:attempted-admin; priority:1; sid:21002330; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from dissect.cstruct import cstruct | |
defender_def= """ | |
struct QuarantineEntryFileHeader { | |
CHAR MagicHeader[4]; | |
CHAR Unknown[4]; | |
CHAR _Padding[32]; | |
DWORD Section1Size; | |
DWORD Section2Size; | |
DWORD Section1CRC; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdx_en_date | rdx_en_stamp | vhash | version | |
---|---|---|---|---|
2018-08-25 03:29:12 | 1535167752 | 12.1-49.23 | ||
2018-10-16 17:54:20 | 1539712460 | 12.1-49.37 | ||
2018-11-28 08:56:26 | 1543395386 | 26df0e65fba681faaeb333058a8b28bf | 12.1-50.28 | |
2019-01-18 17:41:34 | 1547833294 | d3b5c691a4cfcc6769da8dc4e40f511d | 12.1-50.31 | |
2019-02-13 06:11:52 | 1550038312 | 1ffe249eccc42133689c145dc37d6372 | ||
2019-02-27 09:30:02 | 1551259802 | 995a76005c128f4e89474af12ac0de66 | 12.1-51.16 | |
2019-03-25 22:37:08 | 1553553428 | d2bd166fed66cdf035a0778a09fd688c | 12.1-51.19 | |
2019-04-19 11:04:22 | 1555671862 | 489cadbd8055b1198c9c7fa9d34921b9 | ||
2019-05-13 17:41:47 | 1557769307 | 86b4b2567b05dff896aae46d6e0765bc | 13.0-36.27 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
struct QuarantineEntrySection1 { | |
CHAR Id[16]; | |
CHAR ScanId[16]; | |
QWORD Timestamp; | |
QWORD ThreatId; | |
DWORD One; | |
CHAR DetectionName[]; | |
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--[[ | |
Author: FOX-SRT | |
created_at: 2023-06-02 | |
updated_at: 2023-06-07 | |
revision: 2 | |
Script to check for Hook-like websocket packets. | |
For a websocket packet, the first two bytes of the TCP payload are part of the Websocket header. | |
The next 4 bytes denote a XOR key that mask the remainder of the payload. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Detection for Hook/ERMAC mobile malware | |
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Mobile Malware - Possible Hook/ERMAC HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/"; depth:5; content:".php/"; isdataat:!1,relative; fast_pattern; pcre:"/^\/php\/[a-z0-9]{1,21}\.php\/$/U"; classtype:trojan-activity; priority:1; threshold:type limit,track by_src,count 1,seconds 3600; metadata:ids suricata; metadata:created_at 2023-06-02; metadata:updated_at 2023-06-07; sid:21004440; rev:2;) | |
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Mobile Malware - Possible Hook Websocket Packet Observed (login)"; content:"|81|"; depth:1; byte_test:1,&,0x80,1; luajit:hook.lua; classtype:trojan-activity; priority:1; threshold:type limit,track by_src,count 1,seconds 3600; metadata:ids suricata; metadata:created_at 2023-06-02; metadata:updated_at 2023-06-07; sid:21004441; rev:2;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
""" | |
Netsarang backdoor DNS payload decrypter | |
file: decode_shadowpad_dns.py | |
author: Fox-IT Security Research Team <srt@fox-it.com> | |
Usage: | |
$ cat dns.txt | |
sajajlyoogrmkllmuoqiyaxlymwlvajdkouhkdyiyolamdjivho.cjpybuhwnjgkhllm.nylalobghyhirgh.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// Decompiled by Procyon v0.6.0 | |
// | |
package org.gjt.mm.mysql; | |
import java.sql.DriverPropertyInfo; | |
import java.sql.Connection; | |
import java.util.Properties; | |
import java.util.logging.Logger; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Detection for Godzilla webshell variant and SimpleHTTPServerWithUpload | |
alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - Python SimpleHTTPServerWithUpload Observed"; flow:established, from_server; content:"Server: SimpleHTTPWithUpload/"; http_header; threshold: type limit, track by_dst, count 1, seconds 600; classtype:bad-unknown; metadata:created_at 2023-01-06; priority:2; sid:21004337; rev:1;) | |
alert tcp any any -> any any (msg:"FOX-SRT - IOC - Godzilla Variant ZK Web Shell Request Observed"; flow:established, to_server; content:"/zkau/jquery"; http_uri; threshold:type limit, track by_dst, count 1, seconds 600; flowbits:set, fox.zkau.webshell; classtype:trojan-activity; metadata:created_at 2023-01-09; priority:3; sid:21004344; rev:1;) | |
alert tcp any any -> any any (msg:"FOX-SRT - Webshell - Godzilla Variant ZK Web Shell Response Observed"; flow:established, from_server; flowbits:isset, fox.zkau.webshell; content:"200"; http_stat_code; threshold:type limit, track by_src, count 1, seconds 600; classty |
NewerOlder