ptresearch/Adwind_RAT.rules

## Adwind_RAT.rules
##########################  Adwind RAT

alert  tls $EXTERNAL_NET any -> $HOME_NET any ( msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow: established, to_client;content: "|3082|";depth:300; content: "|3082|";distance:2;within:2; content: "|a00302010202|";distance:2;within:6; flowbits: set, FB332502_; threshold: type limit, track by_src, count 1, seconds 30; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024751; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;)

alert  tls $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 2"; flow: established, to_server; content: "|1703|"; depth:2; content: "|0040|"; distance:1; within:2; fast_pattern; stream_size: server, >,1689; stream_size: server, <,2124; stream_size: client, >,447; stream_size: client, <,1722; flowbits: isset, FB332502_; flowbits: set, FB332502_0; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024752; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;)

alert  tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 3"; flow: established, to_client; content: "|1703|"; depth:2; content: "|0040|"; distance:1; within:2; fast_pattern; stream_size: server, >,1658; stream_size: server, <,2124; stream_size: client, >,447; stream_size: client, <,1722; flowbits: isset, FB332502_0; flowbits: unset, FB332502_0; flowbits: set, FB332502_1; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;)

alert  tls $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 4"; flow: established, to_server; content: "|1703|"; depth:2; byte_test: 2, >=,900, 1, relative; byte_test: 2, <=,1100, 1, relative; stream_size: server,  >,1758; stream_size: server, <,2124; stream_size: client, >,1376; stream_size: client, <,5922; flowbits: isset, FB332502_1; flowbits: unset, FB332502_1; flowbits: set, FB332502_2; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;)

alert  tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 5"; flow: established, to_client; content: "|1703|"; depth:2; content: "|0050|"; distance:1; within:2; fast_pattern; stream_size: server, >,1843; stream_size: server, <,2924; stream_size: client, >,1476; stream_size: client, <,9722; flowbits: isset, FB332502_2; flowbits: unset, FB332502_2; flowbits: set, FB332502_3; flowbits: noalert;metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024755; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_02_26;)

alert  tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu"; flow: established, to_client; content: "|1703|"; depth:2; content: "|0050|"; distance:1; within:2; fast_pattern; stream_size: server, >,1843; stream_size: server, <,3036; stream_size: client, >,1476; stream_size: client, <,9834; flowbits: isset, FB332502_3; flowbits: unset, FB332502_3; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024756; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_02_14;)
	########################## Adwind RAT

	alert tls $EXTERNAL_NET any -> $HOME_NET any ( msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow: established, to_client;content: "\|3082\|";depth:300; content: "\|3082\|";distance:2;within:2; content: "\|a00302010202\|";distance:2;within:6; flowbits: set, FB332502_; threshold: type limit, track by_src, count 1, seconds 30; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024751; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;)

	alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 2"; flow: established, to_server; content: "\|1703\|"; depth:2; content: "\|0040\|"; distance:1; within:2; fast_pattern; stream_size: server, >,1689; stream_size: server, <,2124; stream_size: client, >,447; stream_size: client, <,1722; flowbits: isset, FB332502_; flowbits: set, FB332502_0; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024752; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;)

	alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 3"; flow: established, to_client; content: "\|1703\|"; depth:2; content: "\|0040\|"; distance:1; within:2; fast_pattern; stream_size: server, >,1658; stream_size: server, <,2124; stream_size: client, >,447; stream_size: client, <,1722; flowbits: isset, FB332502_0; flowbits: unset, FB332502_0; flowbits: set, FB332502_1; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;)

	alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 4"; flow: established, to_server; content: "\|1703\|"; depth:2; byte_test: 2, >=,900, 1, relative; byte_test: 2, <=,1100, 1, relative; stream_size: server, >,1758; stream_size: server, <,2124; stream_size: client, >,1376; stream_size: client, <,5922; flowbits: isset, FB332502_1; flowbits: unset, FB332502_1; flowbits: set, FB332502_2; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;)

	alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 5"; flow: established, to_client; content: "\|1703\|"; depth:2; content: "\|0050\|"; distance:1; within:2; fast_pattern; stream_size: server, >,1843; stream_size: server, <,2924; stream_size: client, >,1476; stream_size: client, <,9722; flowbits: isset, FB332502_2; flowbits: unset, FB332502_2; flowbits: set, FB332502_3; flowbits: noalert;metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024755; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_02_26;)

	alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu"; flow: established, to_client; content: "\|1703\|"; depth:2; content: "\|0050\|"; distance:1; within:2; fast_pattern; stream_size: server, >,1843; stream_size: server, <,3036; stream_size: client, >,1476; stream_size: client, <,9834; flowbits: isset, FB332502_3; flowbits: unset, FB332502_3; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024756; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_02_14;)