Positive Research ptresearch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert smb any any -> any any (msg: "ATTACK [PTsecurity] NTLM without MIC 'Drop the MIC' attack. Possible NTLM Relay"; flow: established, to_server; content: "NTLMSSP|00 03 00 00 00|"; content: "|40 00 00 00|"; within: 48; pcre: "/NTLMSSP\x00\x03\x00\x00\x00(?:........){0,5}[^\x00].[^\x00].\x40\x00\x00\x00/"; reference: cve, 2019-1040; reference: url, dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005314; rev: 1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN [PTsecurity] REMCOS pkt checker 0"; flow:established, to_server; dsize:200<>700; stream_size:client,>,200; stream_size:server,=,1; stream_size:client, <,700; flowbits: noalert; flowbits:set,FB180732_0; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024694; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_11, malware_family Remcos, performance_impact Moderate, updated_at 2017_10_12, id_361346;) | |
| alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] REMCOS pkt checker 1"; flow:established, to_client; dsize:25<>35; stream_size:server,<,35; stream_size:client,<,700; stream_size:server,>,25; stream_size:client,>,200; flowbits:isset,FB180732_0; flowbits:unset, FB180732_0; flowbits: noalert; flowbits:set,FB180732_1; metadata: former_category TROJAN; classtype:trojan-activity; s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ########################## Adwind RAT | |
| alert tls $EXTERNAL_NET any -> $HOME_NET any ( msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow: established, to_client;content: "|3082|";depth:300; content: "|3082|";distance:2;within:2; content: "|a00302010202|";distance:2;within:6; flowbits: set, FB332502_; threshold: type limit, track by_src, count 1, seconds 30; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024751; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;) | |
| alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 2"; flow: established, to_server; content: "|1703|"; depth:2; content: "|0040|"; distance:1; within:2; fast |