Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Office documents with commands in metadata

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 11 Jun 2018 19:13:23 +0000
Hi,

This an attempt to detect documents with executable commands (certutil and powershell) in their metadata, which are 
accessed via embedded VBScript. Lab-generated pcaps of malicious documents are available. I added these under 
indicator-compromise, but I'm not sure if this is the appropriate category. Oh, and I am not sure if this a good 
detection idea; more testing is needed.

# --------------------
# Date: 2018-06-10
# Title: Office files with executable commands in metadata
# Reference: Research
# Hashes:
#     - f5f9f7f800a1f637395f34255e9937a878612573acf61dd41e1022869683e5da (no metadata)
#     - f87837b933d0cda0b23c1b2be6a05db40d480fe87edd9494f026b351e571f6aa
#     - fd8a6da88cfb37a8a220f4c5fb5bebc6dc8800e844a8ba843200037c86790c26
# Tests: pcap
# Confidence: low
# Notes: Seen in documents with CobaltStrike beaconing

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Office document with executable 
command in metadata"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; 
nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|certutil "; within:command_depth; nocase; content:" 
http"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service 
http; classtype:misc-activity; sid:8000115; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Office document with executable 
command in metadata"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; 
nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|powershell"; within:command_depth; nocase; 
content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service http; classtype:misc-activity; 
sid:8000116; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: