Skip to content
Permalink
Browse files

New malware/auth rules...

  • Loading branch information
beave committed Aug 31, 2017
1 parent 37d8921 commit 618d8016f5a1430931a1b4d44e466e14ec146527
Showing with 15 additions and 2 deletions.
  1. +1 −1 .last_used_sid
  2. +7 −0 windows-auth.rules
  3. +6 −0 windows-malware.rules
  4. +1 −1 windows-sysmon.rules
@@ -1 +1 @@
5003199
5003203
@@ -246,3 +246,10 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Wind
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Possible Windows Broken Domain Trust [25/1]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|authentication failures|access denied|access not allowed|failed to authenticate/i"; content: "|24| Session ID|3a|"; content:!"access denied by ACL"; content:!"Kerberos"; parse_src_ip: 1; parse_port; parse_proto; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003107; sid:5003107; rev:2;)


# Steve Rawls (2017/08/31)

# 172.16.1.1|daemon|err|err|1b|2017-08-29|14:42:22|Directory-Services-SAM| 12294: The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] SAM Database Unable to Lock Account"; program: "Directory-Services-SAM"; content: "12294|3a| "; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003203; reference: url,technet.microsoft.com/en-us/library/cc733228(v=ws.10).aspx; sid:5003203; rev:1;)


@@ -302,3 +302,9 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payl

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; pcre: "/ 4663: | 567: | 5145: /"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:3;)

# Jennifer Shannon @ Quadrantsec (2017/08/31)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoMix ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ", empty,error,ogonia,cnc,exte; meta_nocase; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5003202; reference: url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/; sid:5003201; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky/CryptoMix ransomware note detected"; pcre: "/ 4663: | 567: | 5145: /"; meta_nocase; content: "_HELP_instructions.txt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5003202; reference: url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/; sid:5003202; rev:1;)

@@ -37,7 +37,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] PSExec execu

# Sysmon| 1: Process Create: UtcTime: 2016-04-08 05:29:03.829 ProcessGuid: {E67F94C7-419F-5707-0000-00103FB11D00} ProcessId: 2920 Image: C:\Windows\System32\notepad.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\frankw\Desktop\_HELP_instructions.txt CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=7EB0139D2175739B3CCB0D1110067820BE6ABD29,MD5=F2C7BB8ACC97F92E987A2D4087D021B1,SHA256=142E1D688EF0568370C37187FD9F2351D7DDEDA574F8BFA9B0FA4EF42DB85AA2 ParentProcessGuid: {E67F94C7-414A-5707-0000-001049CA1900} ParentProcessId: 1704 ParentImage: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe"

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Locky ransomware instructions detected!"; content: " 1: "; content: "notepad.exe"; nocase; content: "_HELP_instructions.txt "; classtype: trojan-activity; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002802; sid:5002802; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Locky/CrypoMix ransomware instructions detected!"; content: " 1: "; content: "notepad.exe"; nocase; content: "_HELP_instructions.txt "; classtype: trojan-activity; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002802; sid:5002802; rev:3;)

# vssadmin.exe is sometimes used by malware to delete shadow volume copied. Below is Locky:
# Champ Clark 04/08/2016

0 comments on commit 618d801

Please sign in to comment.
You can’t perform that action at this time.