-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathPAW-PATRULES_EXPLOIT.rules
120 lines (119 loc) Β· 60 KB
/
PAW-PATRULES_EXPLOIT.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# KXK00OOkxxkO00KX0
# ,NXKxo:,'... ...';cdOXN:
# l;. ..,:ldxkOOOOOOkkxol:,.. .o
# dk lOOOOOOkkkkkkkkkkkOOOOOOx dk
# KNXOc. :0OkkkkkkkkkkkkkkkkkkkkkO0l. :kXNX
# x. .'ckOOkkkkkkkkkkkookkkkkkkkkkOOOl,. .k
# d. o0Okkkkkkkkkkkkk. okkkkkkkkkkOO0k x
# l. c0kkkkkkko. .ckk .kd..'xkkkkkk0x .o
# ;, ;0kkkkkkkc ;ko. .dk. :kkkkkk0l ':
# .l .OOkkkkkkkl. .lkocldkkl. 'xkkkkkOO, c.
# l o0kkkk:..'dkkk. .;okkkkkkkkk0x l
# .: .OOkkk; xk, .:kkkkkO0; ;.
# ;. :0kkkko;,cko :kkkk0d .:
# : oOkkkkkkkk .dkkk0k. :
# : dOkkkkkkk .:odxkkkkkOk. ;
# ; oOkkkkkkx:,,ckkkkkkkkkkOx. ,
# '. ;OOkkkkkkkkkkkkkkkkkOOc '
# ' .lOOkkkkkkkkkkkkkOOd. .
# . .lOOkkkkkkkkkOOo' ..
# ' .;dOOOkOOOx:. .
# .. .,lxo;. ..
# .. ..
#
# ____ ___ __ ____ _ _
#| _ \ / \ \ / / | _ \ __ _| |_ _ __ _ _| | ___ ___
#| |_) / _ \ \ /\ / / | |_) / _` | __| '__| | | | |/ _ \/ __|
#| __/ ___ \ V V / | __/ (_| | |_| | | |_| | | __/\__ \
#|_| /_/ \_\_/\_/ |_| \__,_|\__|_| \__,_|_|\___||___/
#
# IDS Rules for Suricata
# π Charles BLANC-ROLIN β ΅ - https://pawpatrules.fr - https://www.apssis.com - https://github.com/woundride
# Licence CC BY-NC-SA 4.0 : https://creativecommons.org/licenses/by-nc-sa/4.0/
# π₯ Exploit
alert tcp any any -> any any (msg:"πΎ - π¨ Possible exploitation de SIGRed π₯ CVE-2020-1350 - RCE sur serveur DNS Windows et ContrΓ΄leur Active Directory"; content:"|ff|"; startswith; byte_test:1,>=,0xec,0,relative; content:"|00 00 18|"; distance:12; within:64; fast_pattern; content:"|c0|"; distance:2; within:1; content:"|00 18|"; distance:1; within:2; reference: url,https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin:-exploiting-a-17-year-old-bug-in-windows-dns-servers/; reference: url,https://portal.msrc.microsoft.com/fr-fr/security-guidance/advisory/CVE-2020-1350; reference: url,https://support.microsoft.com/fr-fr/help/4569509/windows-dns-server-remote-code-execution-vulnerability; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-16/; reference:cve,2020-1350; metadata: created_at 2020_07_17, updated_at 2020_07_17; sid:3309543; rev:1; classtype:trojan-activity;)
alert dns any any -> any any (msg:"πΎ - β RequΓͺte DNS π - π Domaine malveillant - possible exploitation CVE-2020-1380"; dns_query; content:"static-cdn1.com"; nocase; reference: url,https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/; reference: url,https://opentip.kaspersky.com/www.static-cdn1.com%2Fupdate.zip/; reference: url,https://portal.msrc.microsoft.com/fr-fr/security-guidance/advisory/CVE-2020-1380; metadata:created_at 2020_08_22, updated_at 2020_08_22; sid:3309544; rev:1; classtype:trojan-activity;)
alert tcp any $HTTP_PORTS -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; flow:from_server,established; content:"{\"navgd\":\"<div class=gnt_n_dd_ls_w><div class=gnt_n_dd_nt>ONLY AT USA TODAY:</div><div class=gnt_n_dd_ls><a class=gnt_n_dd_ls_a href=https://supportlocal.usatoday.com/"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309545; rev:1; classtype:trojan-activity;)
alert tcp any $HTTP_PORTS -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; content:"HTTP/1."; depth:7; content:"Connection: close"; content:"Content-Type: application/json\; charset=utf-8"; content:"Content-Security-Policy: upgrade-insecure-requests"; content:"Strict-Transport-Security: max-age=10890000"; content:"Cache-Control: public, immutable, max-age=315360000"; content:"Accept-Ranges: bytes"; content:"X-Cache: HIT, HIT"; content:"X-Timer: S1593010188.776402,VS0,VE1"; content:"Vary: X-AbVariant, X-AltUrl, Accept-Encoding"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309546; rev:1; classtype:trojan-activity;)
alert tcp any $HTTP_PORTS -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle Original Server]"; content:"HTTP/1."; depth:7; content:"Content-Type: text/json|0d 0a|"; content:"Server: Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By: ASP.NET|0d 0a|"; content:"Cache-Control: no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma: no-cache|0d 0a|"; content:"X-Frame-Options: SAMEORIGIN|0d 0a|"; content:"Connection: close|0d 0a|"; content:"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309547; rev:1; classtype:trojan-activity;)
alert tcp any any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET]"; content:"GET"; depth:3; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US,en\;q=0.5"; content:"nyt-a="; content:"nyt-gdpr=0\;nyt-purr=cfh\;nyt-geo=US}"; fast_pattern; content:"|0d 0a|Cookie:"; pcre:"/^GET\s(?:\/ads\/google|\/vi-assets\/static-assets|\/v1\/preferences|\/idcta\/translations|\/v2\/preferences)/"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309548; rev:1; classtype:trojan-activity;)
alert tcp any any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle Original Stager]"; content:"T "; offset:2; depth:3; content:"Accept: */*"; content:"Accept-Language: en-US"; content:"Accept-Encoding: gzip, deflate"; content:"Cookie: SIDCC=AN0-TYutOSq-fxZK6e4kagm70VyKACiG1susXcYRuxK08Y-rHysliq0LWklTqjtulAhQOPH8uA"; pcre:"/\/api\/v1\/user\/(?:512|124)\/avatar/"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309549; rev:1; classtype:trojan-activity;)
alert tcp any any -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.GORAT.[SID1]"; content:"GET"; depth:3; content:"|0d 0a|Cookie: SID1="; content:!"|0d 0a|Referer:"; content:!"|0d 0a|Accept"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309550; rev:1; classtype:trojan-activity;)
alert tcp any $HTTP_PORTS -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; content:"HTTP/1."; depth:7; content:"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":\""; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309551; rev:1; classtype:trojan-activity;)
alert tcp any any -> any 443 (msg:"πΎ - π₯π FireEye - Backdoor.SSL.BEACON.[CSBundle Ajax]"; content:"|16 03|"; depth:2; content:"US"; content:"US"; distance:0; content:"ajax.microsoft.com"; content:"ajax.microsoft.com"; distance:0; content:"Seattle"; content:"Seattle"; distance:0; content:"Microsoft"; content:"Microsoft"; distance:0; content:"Information Technologies"; content:"Information Technologies"; distance:0; content:"WA"; content:"WA"; distance:0; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309552; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[Yelp GET]"; flow:to_server; content:"GET "; depth:4; content:"&parent_request_id="; distance:0; within:256; fast_pattern; content:" HTTP/1"; distance:0; within:1024; content:"|0d 0a|Sec-Fetch-Dest: empty|0d 0a|"; distance:0; within:256; content:"request_origin=user"; offset:0; depth:256; pcre:"/^GET [^\r\n]{0,256}&parent_request_id=(?:[A-Za-z0-9_\/\+\-%]{128,1024})={0,2}[^\r\n]{0,256} HTTP\/1\.[01]/"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309553; rev:1; classtype:trojan-activity;)
alert udp any 53 -> any any (msg:"πΎ - π₯π FireEye - Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|0a|_domainkey"; distance:0; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; distance:0; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309554; rev:1; classtype:trojan-activity;)
alert tcp any any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle CDN GET]"; content:"GET"; depth:3; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US|0d 0a|"; content:"client-="; content:"\;auth=1}"; content:"Cookie:"; pcre:"/^GET\s(?:\/v1\/queue|\/v1\/profile|\/v1\/docs\/wsdl|\/v1\/pull)/"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309555; rev:1; classtype:trojan-activity;)
alert tcp any any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle USAToday GET]"; content:"GET"; depth:3; content:"Connection: close|0d 0a|"; content:"Accept: */*|0d 0a|"; content:"gnt_ub=86\;gnt_sb=18\;usprivacy=1YNY\;DigiTrust.v1.identity="; content:"%3D\;GED_PLAYLIST_ACTIVITY=W3sidSI6IkZtTWUiLCJ0c2wiOjE1OTMwM\;"; content:"Cookie:"; pcre:"/^GET\s(?:\/USAT-GUP\/user\/|\/entertainment\/|\/entertainment\/navdd-q1a2z3Z6TET4gv2PNfXpaJAniOzOajK7M\.min\.json|\/global-q1a2z3C4M2nNlQYzWhCC0oMSEFjQbW1KA\.min\.json|\/life\/|\/news\/weather\/|\/opinion\/|\/sports\/|\/sports\/navdd-q1a2z3JHa8KzCRLOQAnDoVywVWF7UwxJs\.min\.json|\/tangstatic\/js\/main-q1a2z3b37df2b1\.min\.js|\/tangstatic\/js\/pbjsandwich-q1a2z300ab4198\.min\.js|\/tangstatic\/js\/pg-q1a2z3bbc110a4\.min\.js|\/tangsvc\/pg\/3221104001\/|\/tangsvc\/pg\/5059005002\/|\/tangsvc\/pg\/5066496002\/|\/tech\/|\/travel\/)/"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309556; rev:1; classtype:trojan-activity;)
alert tcp any any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle Original POST]"; content:"POST"; depth:4; content:"Accept: */*|0d 0a|"; content:"Accept-Language: en-US|0d 0a|"; content:"Accept-Encoding: gzip, deflate|0d 0a|"; content:"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\""; pcre:"/^POST\s(?:\/v4\/links\/check-activity\/check|\/v1\/stats|\/gql|\/api2\/json\/check\/ticket|\/1.5\/95648064\/storage\/history|\/1.5\/95648064\/storage\/tabs|\/u\/0\/_\/og\/botguard\/get|\/ev\/prd001001|\/ev\/ext001001|\/gp\/aw\/ybh\/handlers|\/v3\/links\/ping-beat\/check)/"; content:"ses-"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309557; rev:1; classtype:trojan-activity;)
alert tcp any any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; content:"POST /v1/push"; depth:13; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US|0d 0a|"; content:"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\""; content:"cli"; content:"l-"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309558; rev:1; classtype:trojan-activity;)
alert tcp any any -> any [139,445] (msg:"πΎ - π₯π FireEye - M.HackTool.SMB.Impacket-Obfuscation.[Service Names]"; content:"|ff 53 4d 42|"; offset:4; depth:4; pcre:"/(?:\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x55\x00\x70\x00\x64\x00\x61\x00\x74\x00\x65\x00\x20\x00\x43\x00\x6f\x00\x6e\x00\x74\x00\x72\x00\x6f\x00\x6c\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65|\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x31\x00\x30\x00\x20\x00\x44\x00\x65\x00\x66\x00\x65\x00\x6e\x00\x64\x00\x65\x00\x72|\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x4c\x00\x69\x00\x63\x00\x65\x00\x6e\x00\x73\x00\x65\x00\x20\x00\x4b\x00\x65\x00\x79\x00\x20\x00\x41\x00\x63\x00\x74\x00\x69\x00\x76\x00\x61\x00\x74\x00\x69\x00\x6f\x00\x6e|\x4f\x00\x66\x00\x66\x00\x69\x00\x63\x00\x65\x00\x20\x00\x33\x00\x36\x00\x35\x00\x20\x00\x50\x00\x72\x00\x6f\x00\x78\x00\x79|\x4d\x00\x69\x00\x63\x00\x72\x00\x6f\x00\x73\x00\x6f\x00\x66\x00\x74\x00\x20\x00\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x69\x00\x74\x00\x79\x00\x20\x00\x43\x00\x65\x00\x6e\x00\x74\x00\x65\x00\x72|\x4f\x00\x6e\x00\x65\x00\x44\x00\x72\x00\x69\x00\x76\x00\x65\x00\x20\x00\x53\x00\x79\x00\x6e\x00\x63\x00\x20\x00\x43\x00\x65\x00\x6e\x00\x74\x00\x65\x00\x72|\x42\x00\x61\x00\x63\x00\x6b\x00\x67\x00\x72\x00\x6f\x00\x75\x00\x6e\x00\x64\x00\x20\x00\x41\x00\x63\x00\x74\x00\x69\x00\x6f\x00\x6e\x00\x20\x00\x4d\x00\x61\x00\x6e\x00\x61\x00\x67\x00\x65\x00\x72|\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x65\x00\x20\x00\x54\x00\x6f\x00\x6b\x00\x65\x00\x6e\x00\x20\x00\x4d\x00\x65\x00\x73\x00\x73\x00\x61\x00\x67\x00\x69\x00\x6e\x00\x67\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65|\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x20\x00\x55\x00\x70\x00\x64\x00\x61\x00\x74\x00\x65)/R"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309559; rev:1; classtype:trojan-activity;)
alert tcp any $HTTP_PORTS -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle Original Stager 2]"; content:"HTTP/1."; depth:7; content:"Content-Type: text/json|0d 0a|"; content:"Server: Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By: ASP.NET|0d 0a|"; content:"Cache-Control: no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma: no-cache|0d 0a|"; content:"X-Frame-Options: SAMEORIGIN|0d 0a|"; content:"Connection: close|0d 0a|"; content:"Content-Type: image/gif"; content:"|01 00 01 00 00 02 01 44 00 3b|"; content:"|ff ff ff 21 f9 04 01 00 00 00 2c 00 00 00 00|"; content:"|47 49 46 38 39 61 01 00 01 00 80 00 00 00 00|"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309560; rev:1; classtype:trojan-activity;)
alert tcp any any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST]"; content:"POST"; depth:4; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US,en\;q=0.5"; content:"id-"; content:"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\""; pcre:"/^POST\s(?:\/track|\/api\/v1\/survey\/embed|\/svc\/weather\/v2)/"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309561; rev:1; classtype:trojan-activity;)
alert tcp any any -> any 88 (msg:"πΎ - π₯π FireEye - HackTool.TCP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309562; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[Yelp Request]"; flow:to_server; content:"T "; depth:5; content:" HTTP/1"; distance:0; within:256; content:"Cookie: hl=en|3b|bse="; distance:0; within:256; fast_pattern; content:"|3b|_gat_global=1|3b|recent_locations|3b|_gat_www=1|3b||0d 0a|"; pcre:"/Cookie: hl=en\x3bbse=(?:[A-Za-z0-9_\/\+\-]{128,1024})={0,2}\x3b_gat_global=1\x3brecent_locations\x3b_gat_www=1\x3b\r\n/"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309563; rev:1; classtype:trojan-activity;)
alert tcp any any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]"; content:"GET"; depth:3; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US|0d 0a|"; content:"sess-="; content:"auth=0\;loc=US}"; content:"Cookie:"; pcre:"/^GET\s(?:\/updates|\/license\/eula|\/docs\/office|\/software-activation)/"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309564; rev:1; classtype:trojan-activity;)
alert tcp any $HTTP_PORTS -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle Original Server 2]"; content:"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309565; rev:1; classtype:trojan-activity;)
alert tcp any any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; content:"POST /notification"; depth:18; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US|0d 0a|"; content:"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\""; content:"nid"; content:"msg-"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309566; rev:1; classtype:trojan-activity;)
alert tcp any any -> any $HTTP_PORTS (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle Original GET]"; content:"GET"; depth:3; content:"Accept: */*|0d 0a|"; content:"Accept-Language: en-US|0d 0a|"; content:"Accept-Encoding: gzip, deflate|0d 0a|"; content:"Cookie:"; content:"display-culture=en\;check=true\;lbcs=0\;sess-id="; distance:0; content:"\;SIDCC=AN0-TY21iJHH32j2m\;FHBv3=B"; pcre:"/^GET\s(?:\/api2\/json\/access\/ticket|\/api2\/json\/cluster\/resources|\/api2\/json\/cluster\/tasks|\/en-us\/p\/onerf\/MeSilentPassport|\/en-us\/p\/book-2\/8MCPZJJCC98C|\/en-us\/store\/api\/checkproductinwishlist|\/gp\/cerberus\/gv|\/gp\/aj\/private\/reviewsGallery\/get-application-resources|\/gp\/aj\/private\/reviewsGallery\/get-image-gallery-assets|\/v1\/buckets\/default\/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw\/records|\/v3\/links\/ping-centre|\/v4\/links\/activity-stream|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-includes\/js\/script\/indigo-migrate)/"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309567; rev:1; classtype:trojan-activity;)
alert tcp any $HTTP_PORTS -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; flow:from_server,established; content:"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":\""; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309568; rev:1; classtype:trojan-activity;)
alert tcp any $HTTP_PORTS -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; flow:from_server,established; content:"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":\""; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309569; rev:1; classtype:trojan-activity;)
alert udp any any -> any 88 (msg:"πΎ - π₯π FireEye - HackTool.UDP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309570; rev:1; classtype:trojan-activity;)
alert udp any 53 -> any any (msg:"πΎ - π₯π FireEye - Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|03|"; within:15; content:"|0a|_domainkey"; distance:3; within:11; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309571; rev:1; classtype:trojan-activity;)
alert tcp any any -> any 88 (msg:"πΎ - π₯π FireEye - HackTool.TCP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309572; rev:1; classtype:trojan-activity;)
alert tcp any $HTTP_PORTS -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; content:"HTTP/1."; depth:7; content:"Accept-Ranges: bytes"; content:"Age: 5806"; content:"Cache-Control: public,max-age=31536000"; content:"Content-Encoding: gzip"; content:"Content-Length: 256398"; content:"Content-Type: application/javascript"; content:"Server: UploadServer"; content:"Vary: Accept-Encoding, Fastly-SSL"; content:"x-api-version: F-X"; content:"x-cache: HIT"; content:"x-Firefox-Spdy: h2"; content:"x-nyt-route: vi-assets"; content:"x-served-by: cache-mdw17344-MDW"; content:"x-timer: S1580937960.346550,VS0,VE0"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309573; rev:1; classtype:trojan-activity;)
alert tcp any $HTTP_PORTS -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.BEACON.[CSBundle Original Server 3]"; content:"{\"alias\":\"apx\",\"prefix\":\"\",\"suffix\":null,\"suggestions\":[],\"responseId\":\"15QE9JX9CKE2P\",\"addon\": \""; content:"\",\"shuffled\":false}"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309574; rev:1; classtype:trojan-activity;)
alert udp any any -> any 88 (msg:"πΎ - π₯π FireEye - HackTool.UDP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309575; rev:1; classtype:trojan-activity;)
alert tcp any any -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.GORAT.[POST]"; content:"POST / HTTP/1.1"; depth:15; content:"Connection: upgrade"; content:"|0d 0a|Upgrade: tcp/1|0d 0a|"; content:!"|0d 0a|Referer:"; content:!"|0d 0a|Accept"; content:!"|0d 0a|Cookie:"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309576; rev:1; classtype:trojan-activity;)
alert tcp any any -> any any (msg:"πΎ - π₯π FireEye - HackTool.TCP.Rubeus.[User32LogonProcesss]"; flow:to_server; content:"User32LogonProcesss"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309577; rev:1; classtype:trojan-activity;)
alert tcp any any -> any any (msg:"πΎ - π₯π FireEye - Backdoor.HTTP.GORAT.[Build ID]"; content:"aqlKZ7wjzg0iKM00E1WB/jq9_RA46w91EKl9A02Dv/nbNdZiLsB1ci8Ph0fb64/9Ks1YxAE86iz9A0dUiDl"; reference: url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference: url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309578; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any any (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/Events HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309579; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any any (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309580; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any any (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"swip/Upload.ashx HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309581; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any any (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/"; within:75; content:" HTTP/1."; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309582; rev:1; classtype:trojan-activity;)
alert tcp any any <> any 443 (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"avsvmcloud.com"; distance:0; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309583; rev:1; classtype:trojan-activity;)
alert tcp any any <> any 443 (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"digitalcollege.org"; within:50; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309584; rev:1; classtype:trojan-activity;)
alert tcp any any <> any 443 (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"freescanonline.com"; within:50; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309585; rev:1; classtype:trojan-activity;)
alert tcp any any <> any 443 (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"deftsecurity.com"; within:50; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309586; rev:1; classtype:trojan-activity;)
alert tcp any any <> any 443 (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"thedoccloud.com"; within:50; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309587; rev:1; classtype:trojan-activity;)
alert tcp any any <> any 443 (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"virtualdataserver.com"; within:50; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309588; rev:1; classtype:trojan-activity;)
alert tcp any any -> any any (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"digitalcollege.org"; within:100; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309589; rev:1; classtype:trojan-activity;)
alert tcp any any -> any any (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"freescanonline.com"; within:100; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309590; rev:1; classtype:trojan-activity;)
alert tcp any any -> any any (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"deftsecurity.com"; within:100; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309591; rev:1; classtype:trojan-activity;)
alert tcp any any -> any any (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"thedoccloud.com"; within:100; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309592; rev:1; classtype:trojan-activity;)
alert tcp any any -> any any (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"virtualdataserver.com"; within:100; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309593; rev:1; classtype:trojan-activity;)
alert udp $HOME_NET any -> any 53 (msg:"πΎ - APT.Backdoor.MSIL.SUNBURST"; content:"|00 01 00 00|"; offset:4; depth:4; content:"|0b|appsync-api"; distance:0; content:"|09|"; within:1; content:"-"; distance:2; within:1; content:"st"; distance:2; within:2; content:"|0a|avsvmcloud|03|com"; distance:0; content:!"|00 00 0B 61 70 70 73 79 6E 63 2D 61 70 69|"; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309594; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any 443 (msg:"πΎ - Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"incomeupdate.com"; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309595; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any 443 (msg:"πΎ - Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"zupertech.com"; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309596; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any 443 (msg:"πΎ - Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"databasegalore.com"; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309597; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any 443 (msg:"πΎ - Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"panhardware.com"; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309598; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any any (msg:"πΎ - Backdoor.BEACON"; content:"POST"; depth:4; content:"|0d 0a 0d 0a|name=\""; content:"\"\;filename=\""; content:"\"|0a|Content-Type:"; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309599; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - Backdoor.BEACON"; content:"HTTP/1."; depth:7; content:"Server: nginx/1.14.0 (Ubuntu)"; distance:0; content:"Connection: close"; distance:0; content:"Cache-Control: max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options: nosniff"; distance:0; content:"X-AspNetMvc-Version: 3.0"; distance:0; content:"X-AspNet-Version: 4.0.30319"; distance:0; content:"X-Powered-By: ASP.NET"; distance:0; content:"Content-Length: "; content:"|0d 0a|"; distance:6; within:4; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309600; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - Backdoor.BEACON"; flow:from_server; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309601; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - Backdoor.BEACON"; flow:from_server; content:"<p>Companies-Best-Man-Vendors-Best</p>"; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309602; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - Backdoor.BEACON"; flow:from_server; content:"<meta name=\"msvalidate.01\" content=\"ECEE9516DDABFC7CCBBF1EACC04CAC20\">"; content:"<meta name=\"google-site-verification\" content=\"CD5EF1FCB54FE29C838ABCBBE0FA57AE\">"; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309603; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - Backdoor.BEACON"; flow:from_server; content:"<p>Million-Support-Years-Week-Agents</p>"; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309604; rev:1; classtype:trojan-activity;)
alert tcp $HOME_NET any -> any 443 (msg:"πΎ - Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"websitetheme.com"; reference: url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference: url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference: url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309605; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - π¨ Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; content:"POST"; content:"/owa/auth/Current/themes/resources/logon.css"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309606; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - π¨ Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; content:"POST"; content:"/owa/auth/Current/themes/resources/owafont_ja.css"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309607; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - π¨ Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; content:"POST"; content:"/owa/auth/Current/themes/resources/lgnbotl.gif"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309608; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - π¨ Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; content:"POST"; content:"/owa/auth/Current/themes/resources/owafont_ko.css"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309609; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - π¨ Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; content:"POST"; content:"/owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309610; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - π¨ Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; content:"POST"; content:"/owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309611; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - π¨ Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; content:"POST"; content:"/ecp/default.flt"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309612; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - π¨ Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; content:"POST"; content:"/ecp/main.css"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309613; rev:1; classtype:trojan-activity;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - π¨ Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; content:"POST"; content:"/ecp/"; content:".js"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309614; rev:1; classtype:trojan-activity;)
alert ip 103.77.192.219 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309615; rev:1; classtype:trojan-activity;)
alert ip 104.140.114.110 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309616; rev:1; classtype:trojan-activity;)
alert ip 104.250.191.110 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309617; rev:1; classtype:trojan-activity;)
alert ip 108.61.246.56 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309618; rev:1; classtype:trojan-activity;)
alert ip 149.28.14.163 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309619; rev:1; classtype:trojan-activity;)
alert ip any any -> 157.230.221.198 any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309620; rev:1; classtype:trojan-activity;)
alert ip 167.99.168.251 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309621; rev:1; classtype:trojan-activity;)
alert ip 185.250.151.72 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309622; rev:1; classtype:trojan-activity;)
alert ip 192.81.208.169 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309623; rev:1; classtype:trojan-activity;)
alert ip 203.160.69.66 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309624; rev:1; classtype:trojan-activity;)
alert ip 211.56.98.146 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309625; rev:1; classtype:trojan-activity;)
alert ip 5.254.43.18 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309626; rev:1; classtype:trojan-activity;)
alert ip 80.92.205.81 any -> any any (msg:"πΎ - π¨ Connexion entrante - Exploitation possible - multiples RCE dans Microsoft Exchange π« - HAFNIUM Group π¨π³"; reference: url,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; reference: url,https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/; metadata:created_at 2021_03_03, updated_at 2021_03_03; sid:3309627; rev:1; classtype:trojan-activity;)
alert tcp any any -> $EXTERNAL_NET 1389 (msg: "π Suspicious outgoing LDAP flow to Internet on port 1389 - Possible Log4shell POC attack"; flow: established, to_server, no_stream; content:"|30|"; depth: 1; content:"|02 01|"; fast_pattern; distance: 1; within: 2; content: "|60|"; distance: 1; within: 1; content: "|02 01|"; distance: 1; within: 2; content: "|04|"; distance: 1; within: 1; reference: url,https://github.com/christophetd/log4shell-vulnerable-app; metadata:created_at 2021_12_12, updated_at 2021_12_12 ; sid:3309628; rev:1; classtype:policy-violation;)