mirror of
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
synced 2024-06-27 09:20:05 +00:00
18 KiB
18 KiB
| 1 | family | name | type | SID | status | desc |
|---|---|---|---|---|---|---|
| 2 | SUNBURST | APT_Backdoor_SUNBURST_1 | yara | N/A | production | This rule looks for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 3 | SUNBURST | APT_Backdoor_SUNBURST_2 | yara | N/A | production | The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule looks for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 4 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600832 | production | This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 5 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600833 | production | This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 6 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600842 | production | This rule looks for HTTP network connections associated with the SUNBURST related avsvmcloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 7 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600843 | production | This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 8 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600844 | production | This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 9 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600845 | production | This rule looks for SSL/TLS network connections associated with the SUNBURST related avsvmcloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 10 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600846 | production | This rule looks for SSL/TLS network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 11 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600847 | production | This rule looks for SSL/TLS network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 12 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600848 | production | This rule looks for SSL/TLS network connections associated with the SUNBURST related deftsecurity[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 13 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600849 | production | This rule looks for SSL/TLS network connections associated with the SUNBURST related thedoccloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 14 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600850 | production | This rule looks for SSL/TLS network connections associated with the SUNBURST related virtualdataserver[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 15 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600851 | production | This rule looks for HTTP network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 16 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600852 | production | This rule looks for HTTP network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 17 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600853 | production | This rule looks for HTTP network connections associated with the SUNBURST related deftsecurity[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 18 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600854 | production | This rule looks for HTTP network connections associated with the SUNBURST related thedoccloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 19 | SUNBURST | Backdoor.SUNBURST | snort/nx | 77600855 | production | This rule looks for HTTP network connections associated with the SUNBURST related virtualdataserver[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 20 | SUNBURST | SUNBURST SUSPICIOUS FILEWRITES (METHODOLOGY) | hxioc/prod | N/A | supplemental | This rule identifies writes of specific file types associated with a SUNBURST backdoored version of the SolarWinds.Orion.Core.BusinessLayer.dll process. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 21 | SUNBURST | SUNBURST SUSPICIOUS URL HOSTNAME (METHODOLOGY) | hxioc/prod | N/A | supplemental | This rule identifies URL requests mimicking SolarWinds network traffic, to non-SolarWinds domains. This rule will only match on instances where communication does not occur over SSL/TLS. These requests may be evidence of the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 22 | SUNBURST | SUNBURST SUSPICIOUS CHILD PROCESSES (METHODOLOGY) | hxioc/prod | N/A | supplemental | This rule identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor. The behavior of SolarWinds.Orion.Core.BusinessLayer.dll is dependent on per-enterprise configuration, so additional tuning may be required to exclude legitimate activity in a given environment. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 23 | SUNBURST | SUNBURST COMPROMISE INDICATORS | hxioc/prod | N/A | production | This rule identifies indicators which FireEye associates with the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
| 24 | SUPERNOVA | APT_Webshell_SUPERNOVA_2 | yara | N/A | supplemental | This rule looks for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). |
| 25 | SUPERNOVA | APT_Webshell_SUPERNOVA_1 | yara | N/A | production | This rule looks for specific strings and attributes related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). |
| 26 | COSMICGALE | APT_HackTool_PS1_COSMICGALE_1 | yara | N/A | production | This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password. |
| 27 | COSMICGALE | APT_HackTool_PS1_COSMICGALE_1 | clamav | N/A | production | This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password. |
| 28 | TEARDROP | APT_Dropper_Raw64_TEARDROP_1 | yara | N/A | production | This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory. |
| 29 | TEARDROP | APT_Dropper_Win64_TEARDROP_1 | yara | N/A | production | This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory. |
| 30 | BEACON | Backdoor.BEACON | snort/nx | 77600840 | production | This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. |
| 31 | BEACON | Backdoor.BEACON | snort/nx | 77600863 | production | This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. |
| 32 | BEACON | Backdoor.BEACON | snort/nx | 77600864 | production | This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. |
| 33 | BEACON | Backdoor.BEACON | snort/nx | 77600865 | production | This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. |
| 34 | BEACON | Backdoor.BEACON | snort/nx | 77600837 | production | This rule is looking for network request content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. |
| 35 | BEACON | Backdoor.BEACON | snort/nx | 77600856 | production | This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. |
| 36 | BEACON | Backdoor.BEACON | snort/nx | 77600857 | production | This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. |
| 37 | BEACON | Backdoor.BEACON | snort/nx | 77600858 | production | This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. |
| 38 | BEACON | Backdoor.BEACON | snort/nx | 77600859 | production | This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. |
| 39 | BEACON | Backdoor.BEACON | snort/nx | 77600860 | production | This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. |