-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathsuricata_7.0.3.rules
16 lines (15 loc) · 10.2 KB
/
suricata_7.0.3.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# implant.js Suricata 7.0.3 rules
# Written by the Proofpoint Emerging Threats Team, specifically Genina Po (@bingohotdog) and Stuart Del Caliz
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"ET HUNTING implant.js CnC Handshake (HS_SYN)"; flow:established,to_server; flowbits:set,ET.implantjs.syn; dsize:2; content:"|13 37|"; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:bad-unknown; sid:2060254; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"ET MALWARE implant.js Linux Beacon Check-in"; flow:established,to_server; flowbits:isset,ET.implantjs.syn; dsize:1; content:"|c1|"; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060255; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"ET MALWARE implant.js Windows Beacon Check-in"; flow:established,to_server; flowbits:isset,ET.implantjs.syn; dsize:1; content:"|c2|"; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060256; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp-pkt $EXTERNAL_NET 1337 -> $HOME_NET any (msg:"ET MALWARE implant.js CnC Handshake (HS_ACK)"; flow:established,to_client; flowbits:isset,ET.implantjs.syn; flowbits:set,ET.implantjs.ack; dsize:2; content:"|73 31|"; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060257; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"ET MALWARE implant.js CnC Activity (Client PKT_FETCH for Evil Module)"; flow:established,to_server; flowbits:isset,ET.implantjs.ack; dsize:1; content:"|80|"; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060258; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert tcp-pkt $EXTERNAL_NET 1337 -> $HOME_NET any (msg:"ET MALWARE implant.js CnC Activity (Evil Module Sent with DebugMode=ON)"; flow:established,to_client; flowbits:isset,ET.implantjs.ack; content:"|81 01|"; startswith; byte_math:bytes 4, offset 0,oper +,rvalue 6,result length,relative; isdataat:!length; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060259; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert tcp-pkt $EXTERNAL_NET 1337 -> $HOME_NET any (msg:"ET MALWARE implant.js CnC Activity (Evil Module Sent with DebugMode=OFF)"; flow:established,to_client; flowbits:isset,ET.implantjs.ack; content:"|81 00|"; startswith; byte_math:bytes 4, offset 0,oper +,rvalue 6,result length,relative; isdataat:!length; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060260; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert tcp-pkt $EXTERNAL_NET 1337 -> $HOME_NET any (msg:"ET MALWARE implant.js CnC Activity (Evil DBG_CMD_* Sent with DebugMode=ON)"; flow:established,to_client; flowbits:isset,ET.implantjs.ack; content:"|dd|"; startswith; byte_test:1,>,0xdf,0,relative; byte_test:1,<,0xea,0,relative; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060261; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert tcp-pkt $EXTERNAL_NET 1337 -> $HOME_NET any (msg:"ET MALWARE implant.js CnC Activity (Evil DBG_CMD_* Sent)"; flow:established,to_client; flowbits:isset,ET.implantjs.ack; byte_test:1,>,0xdf,0,relative; byte_test:1,<,0xea,0; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060262; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"ET MALWARE implant.js Activity (DBG_RESP_* with DebugMode=ON)"; flow:established,to_server; flowbits:isset,ET.implantjs.ack; content:"|dd|"; startswith; byte_test:1,>,0xef,0,relative; byte_test:1,<,0xf4,0,relative; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060263; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"ET MALWARE implant.js CnC Activity (DBG_RESP_* Sent)"; flow:established,to_server; flowbits:isset,ET.implantjs.ack; byte_test:1,>,0xef,0; byte_test:1,<,0xf4,0; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060264; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"ET MALWARE implant.js CnC Activity (Evil Module Execution=Success)"; flow:established,to_server; flowbits:isset,ET.implantjs.ack; content:"|a0|"; startswith; byte_math:bytes 4, offset 0,oper +,rvalue 6,result length,relative; isdataat:!length; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060265; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"ET MALWARE implant.js CnC Activity (Evil Module Execution=Fail)"; flow:established,to_server; flowbits:isset,ET.implantjs.ack; content:"|a1|"; startswith; byte_math:bytes 4, offset 0,oper +,rvalue 6,result length,relative; isdataat:!length; reference:url,github.com/captainGeech42/implant.js; reference:url,districtcon.org/bios-and-talks-2025/implantjs-modular-malware; classtype:trojan-activity; sid:2060266; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)