by Scott Muniz | Aug 4, 2022 | Security, Technology
This article is contributed. See the original author and article here.
|
Agent Tesla
|
alert any any -> any any (msg:”HTTP GET request /aw/aw.exe”; flow:established,to_server; sid:1; rev:1; content:”GET”; http_method; content:”/aw/aw.exe”; http_uri; reference:url, https://www.datto.com/blog/what-is-agent-tesla-spyware-and-how-does-it-work; metadata:service http;)
|
|
AZORult
|
alert tcp any any -> any any (msg:”HTTP Server Content Data contains ‘llehS|2e|tpircSW'”; sid:1; rev:1; flow:established,from_server; file_data; content:”llehS|2e|tpircSW”; nocase; fast_pattern:only; pcre:”/GCM(?:x20|%20)*W-O*/i”; reference:url,maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/; metadata:service http;)
|
|
AZORult
|
alert tcp any any -> any any (msg:”HTTP POST Client Body contains ‘J/|fb|’ and ‘/|fb|'”; sid:1; rev:1; flow:established,to_server; content:”POST”; http_method; content:”.php”; http_uri; content:”J/|fb|”; http_client_body; fast_pattern; content:”/|fb|”; http_client_body; depth:11; content:!”Referer|3a 20|”; http_header; metadata:service http;)
|
|
FormBook
|
alert tcp any any -> any any (msg:”HTTP URI POST contains ‘&sql=1’ at the end”; sid:1; rev:1; flow:established,to_server; content:”&sql=1″; http_uri; fast_pattern:only; content:”POST”; http_method; pcre:”/(?(DEFINE)(?’b64std'[a-zA-Z0-9+/=]+?))(?(DEFINE)(?’b64url'[a-zA-Z0-9_-]+?))^/[a-z0-9]{3,4}/?(?P>b64url){3,8}=(?P>b64std){40,90}&(?P>b64url){2,6}=(?P>b64url){4,11}&sql=1$/iU”; reference:url,www.malware-traffic-analysis.net/2018/02/16/index.html; metadata:service http;)
|
|
alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/list/hx28/config.php?id='”; sid:1; rev:1; flow:established,to_server; content:”/list/hx28/config.php?id=”; http_uri; fast_pattern:only; content:”Connection|3a 20|close|0d 0a|”; http_header; reference:url,www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html; metadata:service http;)
|
|
Ursnif
|
alert tcp any any -> any any (msg:”HTTP POST Data contains .bin filename, long URI contains ‘/images/'”; sid:1; rev:1; flow:established,to_server; urilen:>60,norm; content:”/images/”; http_uri; depth:8; content:”POST”; nocase; http_method; content:”Content-Disposition|3a 20|form-data|3b 20|name=|22|upload_file|22 3b 20|filename=|22|”; http_client_body; content:”|2e|bin|22 0d 0a|”; http_client_body; distance:1; within:32; fast_pattern; reference:url,www.broadanalysis.com/2016/03/23/angler-ek-sends-data-stealing-payload/; metadata:service http;)
|
|
alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/images/’ plus random sub directories and an Image File (Ursnif)”; sid:1; rev:1; flow:established,to_server; content:”/images/”; http_uri; fast_pattern:only; content:!”Host: www.urlquery.net”; http_header; pcre:”//images(/(?=[a-z0-9_]{0,22}[A-Z][a-z0-9_]{0,22}[A-Z])(?=[A-Z0-9_]{0,22}[a-z])[A-Za-z0-9_]{1,24}){5,20}/[a-zA-Z0-9_]+.(?:gif|jpeg|jpg|bmp)$/U”; metadata:service http)
|
|
LokiBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)|0d 0a|”; http_header; fast_pattern:only; metadata:service http; )
|
|
LokiBot
|
alert tcp any any -> any any (msg:”HTTP URI POST contains ‘/*/fre.php’ post-infection”; sid:1; rev:1; flow:established,to_server; content:”/fre.php”; http_uri; fast_pattern:only; urilen:<50,norm; content:”POST”; nocase; http_method; pcre:”//(?:alien|lokyd|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll/NW|wrk|job|fived?|donemy|animationdkc|love|Masky|vd|lifetn|Ben)/fre.php$/iU”; metadata:service http;)
|
|
LokiBot
|
alert tcp any any -> any any (msg:”HTTP URI POST contains ‘/w.php/'”; sid:1; rev:1; flow:established,to_server; content:”/w.php/”; http_uri; fast_pattern:only; content:”POST”; nocase; http_method; pcre:”//w+/w.php/[a-z]{13}$/iU”; metadata:service http;)
|
|
MOUSEISLAND
|
alert tcp any any -> any any (msg:”HTTP URI GET contains ‘/assets/<8-80 hex>/<4-16 alnum>?<3-6 alnum>='”; sid:9206287; rev:1; flow:established,to_server; content:”/assets/”; http_uri; fast_pattern:only; content:”HTTP/1.1|0d 0a|”; depth:256; content:!”|0d 0a|Cookie:”; content:!”|0d 0a|Referer:”; pcre:”//assets/[a-fA-F0-9/]{8,80}/[a-zA-Z0-9]{4,16}?[a-z0-9]{3,6}=/U”; metadata:service http;)
|
|
NanoCore
|
alert tcp any any -> any 25 (msg:”SMTP Attachment Filename ‘Packinglist-Invoice101.pps'”; sid:1; rev:1; flow:established,to_server,only_stream; content:”Content-Disposition|3a 20|attachment|3b|”; content:”Packinglist-Invoice101.pps”; nocase; distance:0; fast_pattern; pcre:”/Content-Dispositionx3ax20attachmentx3b[x20trn]+?(?:file)*?name=x22*?Packinglist-Invoice101.ppsx22*?/im”; reference:cve,2014-4114; reference:msb,MS14-060; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Body-FINAL.pdf; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Appendix-FINAL.pdf;)
|
|
NanoCore
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘Host|3a 20|frankief hopto me’ (GenericKD/Kazy/NanoCore/Recam)”; sid:1; rev:1; flow:established,to_server; content:”Host|3a 20|frankief|2e|hopto|2e|me|0d 0a|”; http_header; fast_pattern:only; metadata:service http;)
|
|
NanoCore
|
alert tcp any any -> any any (msg:”HTTP GET URI contains ‘FAD00979338′”; sid:1; rev:1; flow:established,to_server; content:”GET”; http_method; content:”getPluginName.php?PluginID=FAD00979338″; fast_pattern; http_uri; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI GET /t?v=2&c= (Qakbot)”; sid:1; rev:1; flow:established,to_server; content:”/t?v=2&c=”; http_uri; depth:9; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf;)
|
|
Qakbot
|
alert tcp any any -> any 21 (msg:”Possible FTP data exfiltration”; sid:1; rev:1; flow:to_server,established; content:”STOR si_”; content:”.cb”; within:50; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service ftp-ctrlchan;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”Malicious executable download attempt”; sid:1; rev:1; flow:to_client,established; file_type:MSEXE; file_data; content:”|52 DB 91 CB FE 67 30 9A 8E 72 28 4F 1C A9 81 A1 AA BE AC 8D D9 AB E4 15 EF EA C6 73 89 9F CF 2E|”; fast_pattern:only; reference:url,virustotal.com/#/file/ad815edc045c779628db3a3397c559ca08f012216dfac4873f11044b2aa1537b/detection; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP POST URI contains ‘odin/si.php?get&'”; sid:1; rev:1; flow:to_server,established; content:”/odin/si.php?get&”; fast_pattern:only; http_uri; content:”news_slist”; http_uri; content:”comp=”; http_uri; reference:url,www.virustotal.com/en/file/478132b5c80bd41b8c11e5ed591fdf05d52e316d40f7c4abf4bfd25db2463dff/analysis/1464186685/; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI contains ‘/random750x750.jpg?x='”; sid:1; rev:1; flow:to_server,established; content:”/random750x750.jpg?x=”; fast_pattern:only; http_uri; content:”&y=”; http_uri; content:”Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|”; http_header; content:”Cache-Control|3a 20|no-cache|0d 0a|”; http_header; content:!”Accept-“; http_header; content:!”Referer”; http_header; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI contains ‘/datacollectionservice.php3′”; sid:1; rev:1; flow:to_server,established; content:”/datacollectionservice.php3″; fast_pattern:only; http_uri; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP header contains ‘Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|'”; sid:1; rev:1; flow:to_server,established; urilen:30<>35,norm; content:”btst=”; http_header; content:”snkz=”; http_header; content:”Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|”; fast_pattern:only; http_header; content:”Cache-Control|3a 20|no-cache|0d 0a|”; http_header; content:!”Connection”; http_header; content:!”Referer”; http_header; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any 21 (msg:”Possible ps_dump FTP exfil”; sid:1; rev:1; flow:to_server,established; content:”ps_dump”; fast_pattern:only; pcre:”/ps_dump_[^_]+_[a-z]{5}d{4}x2Ekcb/smi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;)
|
|
Qakbot
|
alert tcp any any -> any 21 (msg:”Possible seclog FTP exfil”; sid:1; rev:1; flow:to_server,established; content:”seclog”; fast_pattern:only; pcre:”/seclog_[a-z]{5}d{4}_d{10}x2Ekcb/smi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI contains ‘/cgi-bin/jl/jloader.pl'”; sid:1; rev:1; flow:to_server,established; content:”/cgi-bin/jl/jloader.pl”; fast_pattern:only; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI contains ‘/cgi-bin/clientinfo3.pl'”; sid:1; rev:1; flow:to_server,established; content:”/cgi-bin/clientinfo3.pl”; fast_pattern:only; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI contains ‘/u/updates.cb'”; sid:1; rev:1; flow:to_server,established; content:”/u/updates.cb”; fast_pattern:only; http_uri; pcre:”/^Hostx3A[^rn]+((upd+)|(adserv))/Hmi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP response content contains ‘|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|'”; sid:1; rev:1; flow:to_client,established; file_data; content:”|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|”; fast_pattern:only; content:”|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 43 72 65 61 74 65 46 69 6C 65 28 29 20 66 61 69 6C 65 64|”; content:”|52 75 6E 45 78 65 46 72 6F 6D 52 65 73 28 29 20 73 74 61 72 74 65 64|”; content:”|73 7A 46 69 6C 65 50 61 74 68 3D|”; content:”|5C 25 75 2E 65 78 65|”; reference:url,www.virustotal.com/en/file/23e72e8b5e7856e811a326d1841bd2ac27ac02fa909d0a951b0b8c9d1d6aa61c/analysis; metadata:service ftp-data,service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP POST URI contains ‘v=3&c='”; sid:1; rev:1; flow:to_server,established; content:”/t”; http_uri; content:”POST”; http_method; content:”v=3&c=”; depth:6; http_client_body; content:”==”; within:2; distance:66; http_client_body; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI GET contains ‘/<alpha>/595265.jpg'”; sid:1; rev:1; flow:established,to_server; content:”/595265.jpg”; http_uri; fast_pattern:only; content:”GET”; nocase; http_method; pcre:”/^/[a-z]{5,15}/595265.jpg$/U”; reference:url,www.virustotal.com/gui/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/detection; metadata:service http;)
|
|
Remcos
|
alert tcp any any -> any any (msg:”Non-Std TCP Client Traffic contains ‘|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|’ (Checkin #23)”; sid:1; rev:1; flow:established,to_server; dsize:<700; content:”|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|”; depth:11; fast_pattern; content:”|da b1|”; distance:2; within:2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/analysis-new-remcos-rat-arrives-via-phishing-email/; reference:url,isc.sans.edu/forums/diary/Malspam+using+passwordprotected+Word+docs+to+push+Remcos+RAT/25292/; reference:url,www.malware-traffic-analysis.net/2019/09/03/index.html; reference:url,www.malware-traffic-analysis.net/2017/10/27/index.html;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘host|3a 20|tpsci.com'”; sid:1; rev:1; flow:established,to_server; content:”host|3a 20|tpsci.com”; http_header; fast_pattern:only; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|*Loader'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|”; http_header; content:”Loader|0d 0a|”; nocase; http_header; distance:0; within:24; fast_pattern; metadata:service http;)
|
|
TrickBot
|
alert udp any any <> any 53 (msg:”DNS Query/Response onixcellent com (UDP)”; sid:1; rev:1; content:”|0B|onixcellent|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; priority:1; metadata:service dns;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘C=XX, L=Default City, O=Default Company Ltd'”; sid:1; rev:2; flow:established,from_server; ssl_state:server_hello; content:”|31 0b 30 09 06 03 55 04 06 13 02|XX”; nocase; content:”|31 15 30 13 06 03 55 04 07 13 0c|Default City”; nocase; content:”|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd”; nocase; content:!”|31 0c 30 0a 06 03 55 04 03|”; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘C=AU, ST=Some-State, O=Internet Widgits Pty Ltd'”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|31 0b 30 09 06 03 55 04 06 13 02|AU”; content:”|31 13 30 11 06 03 55 04 08 13 0a|Some-State”; distance:0; content:”|31 21 30 1f 06 03 55 04 0a 13 18|Internet Widgits Pty Ltd”; distance:0; fast_pattern; content:”|06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff|”; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘boundary=Arasfjasu7′”; sid:1; rev:1; flow:established,to_server; content:”boundary=Arasfjasu7|0d 0a|”; http_header; content:”name=|22|proclist|22|”; http_header; content:!”Referer”; content:!”Accept”; content:”POST”; http_method; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|WinHTTP loader/1.”; http_header; fast_pattern:only; content:”.png|20|HTTP/1.”; pcre:”/^Hostx3ax20(?:d{1,3}.){3}d{1,3}(?:x3ad{2,5})?$/mH”; content:!”Accept”; http_header; content:!”Referer|3a 20|”; http_header; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Server Header contains ‘Server|3a 20|Cowboy'”; sid:1; rev:1; flow:established,from_server; content:”200″; http_stat_code; content:”Server|3a 20|Cowboy|0d 0a|”; http_header; fast_pattern; content:”content-length|3a 20|3|0d 0a|”; http_header; file_data; content:”/1/”; depth:3; isdataat:!1,relative; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP URI POST contains C2 Exfil”; sid:1; rev:1; flow:established,to_server; content:”Content-Type|3a 20|multipart/form-data|3b 20|boundary=——Boundary”; http_header; fast_pattern; content:”User-Agent|3a 20|”; http_header; distance:0; content:”Content-Length|3a 20|”; http_header; distance:0; content:”POST”; http_method; pcre:”/^/[a-z]{3}d{3}/.+?.[A-F0-9]{32}/d{1,3}//U”; pcre:”/^Hostx3ax20(?:d{1,3}.){3}d{1,3}$/mH”; content:!”Referer|3a|”; http_header; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/56evcxv'”; sid:1; rev:1; flow:established,to_server; content:”/56evcxv”; http_uri; fast_pattern:only; metadata:service http;)
|
|
TrickBot
|
alert icmp any any -> any any (msg:”ICMP traffic conatins ‘hanc'”; sid:1; rev:1; itype:8; icode:0; dsize:22; content:”hanc”; depth:4; fast_pattern; pcre:”/hanc[0-9a-f]{16}../i”; reference:url,labs.sentinelone.com/anchor-project-for-trickbot-adds-icmp/;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains POST with ‘host|3a 20|*.onion.link’ and ‘data='”; sid:1; rev:1; flow:established,to_server; content:”POST”; nocase; http_method; content:”host|3a 20|”; http_header; content:”.onion.link”; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:”data=”; distance:0; within:5; metadata:service http;)
|
|
TrickBot
|
alert tcp any 80 -> any any (msg:”Non-Std TCP Client Traffic contains PowerView Script Download String”; sid:1; rev:1; flow:established,from_server; content:”PowerView.ps1″; content:”PSReflect/master/PSReflect.psm1″; fast_pattern:only; content:”function New-InMemoryModule”; metadata:service else-ports;)
|
|
TrickBot
|
alert tcp any any -> any 445 (msg:”Non-Std TCP Client SMB Traffic contains ‘44783m8uh77g818_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl'”; sid:1; rev:1; flow:established,to_server; content:”44783m8uh77g818_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl”; fast_pattern:only; metadata:service netbios-ssn,service and-ports;)
|
|
TrickBot
|
alert tcp any any -> any [80,443,8082] (msg:”Non-Std TCP Client Traffic contains ‘–aksgja8s8d8a8s97′”; sid:1; rev:1; flow:established,to_server; content:”–aksgja8s8d8a8s97″; fast_pattern:only; content:”name=|22|proclist|22|”; metadata:service else-ports;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.0′”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|WinHTTP loader/1.0|0d 0a|”; http_header; fast_pattern:only; pcre:”//t(?:oler|able).png/U”; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any [443,8082] (msg:”Non-Std TCP Client Traffic contains ‘_W<digits>.'”; sid:1; rev:1; flow:established,to_server; content:”_W”; fast_pattern:only; pcre:”/_Wd{6,8}./”; metadata:service else-ports;)
|
|
TrickBot
|
alert tcp any [443,447] -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘example.com’ (Hex)”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|0b|example.com”; fast_pattern:only; content:”Global Security”; content:”IT Department”; pcre:”/(?:x09x00xc0xb9x3bx93x72xa3xf6xd2|x00xe2x08xffxfbx7bx53x76x3d)/”; metadata:service ssl,service and-ports;)
|
|
TrickBot
|
alert tcp any any -> any any+F57 (msg:”HTTP URI GET contains ‘/anchor'”; sid:1; rev:1; flow:established,to_server; content:”/anchor”; http_uri; fast_pattern:only; content:”GET”; nocase; http_method; pcre:”/^/anchor_?.{3}/[w_-]+.[A-F0-9]+/?$/U”; metadata:service http;)
|
|
TrickBot
|
alert udp any any <> any 53 (msg:”DNS Query/Response kostunivo com (UDP)”; sid:1; rev:1; content:”|09|kostunivo|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
|
|
TrickBot
|
alert udp any any <> any 53 (msg:”DNS Query/Response chishir com (UDP)”; sid:1; rev:1; content:”|07|chishir|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
|
|
TrickBot
|
alert udp any any <> any 53 (msg:”DNS Query/Response mangoclone com (UDP)”; sid:1; rev:1; content:”|0A|mangoclone|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
|
|
GootLoader
|
No signature available.
|
by Contributed | Aug 4, 2022 | Technology
This article is contributed. See the original author and article here.
At Microsoft we are continuously working to harden our environment and make it easier for customers and partners to apply patches and updates. Monthly, Microsoft issues several updates during what is commonly referred to as “Patch Tuesday.” During Patch Tuesday, Microsoft assigns Common Vulnerabilities and Exposure (CVE) numbers to cloud-based vulnerabilities when there is a specific message that we want to send about necessary action to take, either by our customers to protect themselves or by the industry to protect the ecosystem.
When Microsoft issues a CVE, there is almost always action required to be taken by the customer. In instances where customer action is required, Microsoft understands each customer has their own process and timeframe for applying updates. However, we recommend applying all updates as soon as possible.
As part of June’s “Patch Tuesday,” we issued CVE-2022-29149 to address a local Elevation of Privilege in Azure Open Management Infrastructure (OMI).
Over the past year, our team has been developing an Automatic Extension Upgrade feature and are excited to announce the availability of this capability for the Azure Log Analytics agent and Diagnostics extension for Linux.
Background
The Azure Log Analytics agent for Linux (aka OMS agent) and Diagnostics Extension for Linux (aka LAD agent) collects telemetry from Linux virtual machines. The OMS agent works in any cloud, on-premises machines, and machines monitored by System Center Operations Manager. Collected data is sent to your Log Analytics workspace in Azure Monitor. The Log Analytics agent also supports insights and other services in Azure Monitor such as VM insights, Microsoft Defender for Cloud, and Azure Automation. The LAD agent collects the same data types as OMS, but instead has the capability to send the collected data to a variety of data destinations, such as Azure Storage, Metrics, and Event Hub.
New Feature
On Azure Virtual Machines (VMs), the OMS and LAD agents could be installed as a virtual machine extension. Now, you can let the extension automatically update by turning on the “Automatic Extension Upgrade” option for the extensions. You can do this by setting the flag to true via API, CLI or PowerShell as documented here for OMS and here for LAD.
Security Recommendations
We strongly recommend enabling automatic updates for the OMS agent and LAD agent as soon as possible,
- For the longer term, we recommend migrating to Azure Monitor agent that is not dependent on OMI. As communicated previously, the Log Analytics agent is on a deprecation path and will no longer be supported after August 31, 2024. As such, you must ensure migrating to the new Azure Monitor agent prior to that date. We also plan to bring the capabilities of the Diagnostics Extension for Linux (LAD) to Azure Monitor Agent at a later date.
- This update ensures that customers get important security or performance updates to the extension as soon as possible without manual overhead.
As always, we welcome feedback from customers and partners which supports our efforts to continuously harden our products and services. We want to thank the Wiz team for their collaboration and commitment to helping make Azure customers more secure.
Recent Comments