Rules
rulesptopen-tools.rules
19.25 KBModified 2025-04-09 03:10
1alert tcp any any -> any any (msg: "TOOLS [PTsecurity] xfreerdp/vinagre/remmina RDP client"; flow: established, to_server, no_stream; content: "|03 00|"; depth: 2; content: "Duca"; distance: 0; content: "|01 C0|"; distance: 2; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|04 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|02 C0|"; within: 2; byte_extract: 2, 0, CLIENTNETWORKDATALEN, relative, little; isdataat: !CLIENTNETWORKDATALEN, relative; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 10005928; rev: 3;)
2
3alert tcp any any -> any any (msg: "TOOLS [PTsecurity] xfreerdp/remmina RDP client"; flow: established, to_server, no_stream; content: "|03 00|"; depth: 2; content: "Duca"; distance: 0; content: "|01 C0|"; distance: 2; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|04 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|02 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|03 C0|"; within: 2; byte_extract: 2, 0, CLIENTNETWORKDATALEN, relative, little; isdataat: !CLIENTNETWORKDATALEN, relative; pcre: "/(?:^.{4}cliprdr.{5}$|^.{4}drdynvc.{5}$|^.{4}rdpdr.{7}rdpsnd.{6}(?:drdynvc.{5}$|cliprdr|$))/R"; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 10005952; rev: 3;)
4
5alert dns any any -> any any (msg: "TOOLS [PTsecurity] Burp Suite tool activity. polling.portswigger.net resolve"; dns_query; content: "polling.portswigger.net"; reference: url, rules.ptsecurity.com; classtype: bad-unknown; sid: 10006023; rev: 3;)
6
7alert dns any any -> any any (msg: "TOOLS [PTsecurity] Burp Suite tool activity. burpcollaborator.net resolve"; dns_query; content: "burpcollaborator.net"; reference: url, rules.ptsecurity.com; classtype: bad-unknown; sid: 10006024; rev: 3;)
8
9alert tcp any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool activity"; flow: established, to_server; content: "croc"; depth: 4; content: !"|00|"; within: 1; content: "|00 00|"; distance: 2; within: 2; threshold: type both, track by_src, count 10, seconds 120; reference: url, github.com/schollz/croc; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10011012; rev: 1;)
10
11alert udp any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool activity (UDP multicast)"; content: "croc90"; dsize: 8; threshold: type limit, track by_src, count 1, seconds 120; reference: url, github.com/schollz/croc; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10011013; rev: 1;)
12
13alert dns any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool domain resolve"; dns_query; content: "croc"; content: "schollz.com"; pcre: "/^croc.?\.schollz\.com$/"; reference: url, github.com/schollz/croc; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10011014; rev: 1;)
14
15alert dns any any -> any any (msg: "TOOLS [PTsecurity] getCroc domain resolve (file transfer tool download)"; dns_query; content: "getcroc.schollz.com"; reference: url, github.com/schollz/croc; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10011015; rev: 1;)
16
17alert tls any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool download"; tls_sni; content: "getcroc.schollz.com"; reference: url, github.com/schollz/croc; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10011016; rev: 1;)
18
19alert tcp any any -> any any (msg: "TOOLS [PTsecurity] gsocket client activity"; flow: to_server, established, no_stream; dsize: 128; stream_size: client, <, 500; stream_size: server, <, 100; content: "|02|"; depth: 1; offset: 0; content: !"|00|"; within: 2; content: "|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance: 3; within: 28; content: !"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within: 16; content: "|00 00 00 00|"; distance: 16; within: 4; content: "|00 00 00 00|"; isdataat: !1, relative; reference: url, gsocket.io; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10009304; rev: 4;)
20
21alert tcp any any -> any any (msg: "TOOLS [PTsecurity] gsocket server activity"; flow: to_server, established, no_stream; dsize: 128; stream_size: client, <, 500; stream_size: server, <, 100; content: "|01|"; depth: 1; offset: 0; content: !"|00|"; within: 2; content: "|00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; distance: 3; within: 12; content: !"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within: 16; content: !"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance: 16; within: 16; content: "|00 00 00 00|"; distance: 32; within: 4; content: "|00 00 00 00|"; isdataat: !1, relative; reference: url, gsocket.io; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10009305; rev: 5;)
22
23alert dns any any -> any any (msg: "TOOLS [PTsecurity] .gs.thc.org domain resolve. Probably gsocket activity"; dns_query; content: ".gs.thc.org"; reference: url, gsocket.io; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10009306; rev: 1;)
24
25alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "TOOLS [PTsecurity] Empire Request"; flow: established, to_server; content: "POST"; http_method; content: "session="; http_cookie; fast_pattern; content: "="; http_cookie; endswith; http.header; content: "User-Agent: "; depth: 100; content: "Host: "; within: 400; content: "Content-Length: 462|0d0a|"; within: 400; content: !"Referer|3a|"; content: !"Content-Type: "; reference: url, https://www.hybrid-analysis.com/sample/52404b26bb9fe6e27ea3efbcbfd66712d33ab5b7f62c27fb823c430eccb12cb3/?environmentId=100; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10002268; rev: 12;)
26
27alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "TOOLS [PTsecurity] Empire"; flow: established, to_client; content: "200"; http_stat_code; content: "If($PSVersionTable.PSVersion.Major -ge 3){"; http_server_body; nocase; depth: 1000; content: "$GPS=[ref].Assembly.GetType("; http_server_body; nocase; within: 100; content: "System.Management.Automation.Utils"; http_server_body; within: 100; reference: url, https://www.hybrid-analysis.com/sample/cbf244479304572782de8ab375671da632012777c7bcf0b0e252958bff03dca4/?environmentId=100; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10002269; rev: 7;)
28
29alert http any any -> any any (msg: "SHELL [PTsecurity] CobaltStrike"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/uploads/"; content: ".jpg?timestamp="; distance: 0; http.header; content: "Accept-Encoding: gzip"; content: "User-Agent: ixwebsocket"; content: "windows ssl"; content: "Content-Type: application/x-www-form-urlencoded"; reference: url, https://www.virustotal.com/gui/file/bd3e5af30087dc60849da000412fb719825c7e06e4f75639b95f188407d26f96/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011361; rev: 3;)
30
31alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Key exchange (Base64gzip)"; flow: established, to_server; http.method; content: "POST"; http.uri; pcre: "/\?(?:[a-z_]=[a-z0-9_]{7,14}&[a-z_]{2}=[a-z0-9_]{8,13}|[a-z_]{2}=[a-z0-9_]{8,13}&[a-z_]=[a-z0-9_]{7,14}|[a-z_]=[a-z0-9_]{7,14})$/U"; http.header.raw; content: !"Cookie|3a|"; nocase; content: "Accept-Encoding|3A| gzip|0d 0a|"; nocase; http.request_body; content: "eTKfaaaaaaac"; fast_pattern; depth: 12; content: "aa"; endswith; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008538; rev: 5;)
32
33alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Key exchange (gzip)"; flow: established, to_server; http.method; content: "POST"; http.uri; pcre: "/\?(?:[a-z_]=[a-z0-9_]{7,14}&[a-z_]{2}=[a-z0-9_]{8,13}|[a-z_]{2}=[a-z0-9_]{8,13}&[a-z_]=[a-z0-9_]{7,14}|[a-z_]=[a-z0-9_]{7,14})$/U"; http.header.raw; content: !"Cookie|3a|"; nocase; content: "|0d 0a|Accept-Encoding|3A| gzip|0d 0a|"; nocase; http.content_len; byte_test: 0, >=, 133, 0, string, dec; byte_test: 0, <=, 295, 0, string, dec; pkt_data; content: "|0D 0A 0D 0A 1F 8B 08 00 00 00 00|"; reference: url, virustotal.com/gui/file/e877e29e45b823fe32c600508dd9e05e399272c98449976b66f44721e54e42e3/detection; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008539; rev: 6;)
34
35alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Key exchange (English)"; flow: established, to_server; http.method; content: "POST"; http.uri; pcre: "/\?(?:[a-z_]=[a-z0-9_]{7,14}&[a-z_]{2}=[a-z0-9_]{8,13}|[a-z_]{2}=[a-z0-9_]{8,13}&[a-z_]=[a-z0-9_]{7,14}|[a-z_]=[a-z0-9_]{7,14})$/U"; http.header.raw; content: !"Cookie|3a|"; nocase; content: "Accept-Encoding|3A| gzip|0d 0a|"; nocase; http.request_body; pcre: "/^(?:[A-Z]{2,20}\s?){80,}$/P"; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008540; rev: 4;)
36
37alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Key exchange (hex)"; flow: established, to_server; http.method; content: "POST"; http.uri; pcre: "/\?(?:[a-z_]=[a-z0-9_]{7,14}&[a-z_]{2}=[a-z0-9_]{8,13}|[a-z_]{2}=[a-z0-9_]{8,13}&[a-z_]=[a-z0-9_]{7,14}|[a-z_]=[a-z0-9_]{7,14})$/U"; http.header.raw; content: !"Cookie|3a|"; nocase; content: "Accept-Encoding|3A| gzip|0d 0a|"; nocase; http.request_body; bsize: 211<>533; pcre: "/^[a-f0-9]+$/P"; reference: url, virustotal.com/gui/file/e877e29e45b823fe32c600508dd9e05e399272c98449976b66f44721e54e42e3/detection; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008541; rev: 5;)
38
39alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Key exchange (Base64 modified alphabet)"; flow: established, to_server; http.method; content: "POST"; http.uri; pcre: "/\?(?:[a-z_]=[a-z0-9_]{7,14}&[a-z_]{2}=[a-z0-9_]{8,13}|[a-z_]{2}=[a-z0-9_]{8,13}&[a-z_]=[a-z0-9_]{7,14}|[a-z_]=[a-z0-9_]{7,14})$/U"; http.header.raw; content: !"Cookie|3a|"; nocase; content: "Accept-Encoding|3A| gzip|0d 0a|"; nocase; http.request_body; content: "_"; content: "-"; content: "+"; bsize: 355; pcre: "/(?:^[a-fh-zA-Z0-9_\-\+]+$)/P"; reference: url, virustotal.com/gui/file/e877e29e45b823fe32c600508dd9e05e399272c98449976b66f44721e54e42e3/detection; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10011011; rev: 3;)
40
41alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Polling (default headers)"; flow: established, to_server; http.method; content: "GET"; http.uri; pcre: "/\.js\?[a-z_]=[a-z0-9_]{7,14}$/U"; http.header; content: "Accept-Encoding|3A| gzip|0d 0a|"; nocase; content: "Accept|3A| text/html,application/xhtml+xml,application/xml|3B|q=0.9,image/avif,image/webp,image/apng,*/*|3B|q=0.8,application/signed-exchange|3B|v=b3|3B|q=0.9"; nocase; content: "Accept-Language|3A| en-US,en|3B|q=0.9|0d 0a|"; nocase; content: !"Content-Encoding"; nocase; http.cookie; pcre: "/^[a-zA-Z0-9\-]*?=[0-9a-f]{32}$/C"; threshold: type both, track by_src, count 5, seconds 600; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008542; rev: 3;)
42
43alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2. HTTP Polling. Encoders FB"; flow: established, to_server; http.method; content: "GET"; http.uri; pcre: "/\?[a-z_]=[a-z0-9_]{7,14}$/U"; http.header.raw; content: "Cookie"; nocase; content: "Accept-Encoding|3A| gzip|0d 0a|"; nocase; http.cookie; pcre: "/^[a-zA-Z0-9\-]*?=[0-9a-f]{32}$/C"; flowbits: set, Sliver.HTTP.Encoders; noalert; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008545; rev: 3;)
44
45alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Polling (Base64gzip)"; flow: established, from_server; http.header; content: "Content-Type|3A| text/plain|3B| charset=utf-8|0d 0a|"; nocase; content: !"Content-Encoding"; nocase; http.response_body; content: "eTKfaaaaaaac"; depth: 12; content: "aaaa"; endswith; flowbits: isset, Sliver.HTTP.Encoders; threshold: type limit, track by_src, count 1, seconds 300; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008546; rev: 2;)
46
47alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Polling (gzip)"; flow: established, from_server; http.header; content: "Content-Type|3A| application/x-gzip|0d 0a|"; nocase; content: !"Content-Encoding"; nocase; http.response_body; content: "|1f 8b|"; depth: 2; flowbits: isset, Sliver.HTTP.Encoders; threshold: type limit, track by_src, count 1, seconds 300; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008547; rev: 2;)
48
49alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Polling (English)"; flow: established, from_server; http.header; content: "Content-Type|3A| text/plain|3B| charset=utf-8|0d 0a|"; nocase; content: !"Content-Encoding"; nocase; http.response_body; pcre: "/^(?:[A-Z]{2,20}\s?){40,}$/Q"; flowbits: isset, Sliver.HTTP.Encoders; threshold: type limit, track by_src, count 1, seconds 300; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008548; rev: 3;)
50
51alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Key exchange (PNG)"; flow: established, to_server; http.method; content: "POST"; http.uri; pcre: "/\?(?:[a-z_]=[a-z0-9_]{7,14}&[a-z_]{2}=[a-z0-9_]{8,13}|[a-z_]{2}=[a-z0-9_]{8,13}&[a-z_]=[a-z0-9_]{7,14}|[a-z_]=[a-z0-9_]{7,14})$/U"; http.header.raw; content: !"Cookie|3a|"; nocase; content: "Accept-Encoding|3A| gzip|0d 0a|"; nocase; http.request_body; content: "|89|PNG|0D 0A 1A 0A|"; fast_pattern; depth: 8; reference: url, sliver.sh/docs?name=HTTPS+C2; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012279; rev: 2;)
52
53alert http any any -> any any (msg: "TOOLS [PTsecurity] AdaptixC2 default agent activity"; flow: established, to_server; http.header.raw; content: "X-Beacon-Id|3a 20|"; nocase; http.user_agent; content: "Mozilla/5.0 (Windows NT 6.2|3b 20|rv|3a|20.0) Gecko/20121202 Firefox/20.0"; nocase; threshold: type limit, track by_src, seconds 180, count 1; reference: url, github.com/Adaptix-Framework/AdaptixC2; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012898; rev: 1;)
54
55alert http any any -> any any (msg: "TOOLS [PTsecurity] AdaptixC2 default server response"; flow: established, from_server; http.stat_code; content: "200"; http.response_body; content: "|7b 22|status|22 3a 20 22|ok|22 2c 20 22|data|22 3a 20 22|"; nocase; content: "|22 2c 20 22|metrics|22 3a 20 22|sync|22 7d|"; nocase; distance: 0; threshold: type limit, track by_src, seconds 180, count 1; reference: url, github.com/Adaptix-Framework/AdaptixC2; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012899; rev: 1;)
56
57alert tcp any any -> any any (msg: "TOOLS [PTsecurity] Possible AdaptixC2 https default activity. Set FB AdaptixC2.agent.https.flag"; flow: established, only_stream, to_server; content: "|17 03 03 01 8a|"; isdataat: !394, relative; flowbits: set, AdaptixC2.agent.https.flag; flowbits: noalert; reference: url, github.com/Adaptix-Framework/AdaptixC2; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012900; rev: 1;)
58
59alert tcp any any -> any any (msg: "TOOLS [PTsecurity] Possible AdaptixC2 https default activity"; flow: established, only_stream, from_server; content: "|17 03 03 00 b5|"; content: "|17 03 03 00 13|"; distance: 181; within: 5; isdataat: !19, relative; flowbits: isset, AdaptixC2.agent.https.flag; threshold: type both, track by_src, count 30, seconds 180; reference: url, github.com/Adaptix-Framework/AdaptixC2; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012901; rev: 1;)
60
61alert ssh any any -> any any (msg: "TOOLS [PTsecurity] SSH conection via Tmate tool"; flow: established, from_server; content: "SSH-"; depth: 4; nocase; content: "-tmate"; within: 15; nocase; reference: url, tmate.io; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012935; rev: 1;)
62
63alert tls any any -> any any (msg: "TOOLS [PTsecurity] Cloudflared tool Update Request"; flow: established, to_server; tls.sni; content: "update.argotunnel.com"; nocase; reference: url, try.cloudflare.com; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012940; rev: 1;)
64
65alert tls any any -> any any (msg: "TOOLS [PTsecurity] Possible Cloudflared tunnel started"; flow: established, to_server; tls.sni; content: "api.trycloudflare.com"; nocase; reference: url, try.cloudflare.com; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012941; rev: 1;)
66
67alert tls any any -> any any (msg: "TOOLS [PTsecurity] TunnelTo Tunnel Started"; flow: established, to_server; tls.sni; content: "wormhole.tunnelto.dev"; nocase; reference: url, tunnelto.dev; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012947; rev: 1;)
68
69alert tls any any -> any any (msg: "TOOLS [PTsecurity] Splashtop tool activity"; flow: established, to_server; tls.sni; content: ".splashtop.com"; nocase; threshold: type both, track by_src, count 3, seconds 180; reference: url, splashtop.com; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012956; rev: 2;)
70
71alert http any any -> any any (msg: "TOOLS [PTsecurity] RClone tool User-Agent detected"; flow: established, to_server; http.user_agent; content: "rclone/v"; nocase; threshold: type limit, track by_src, count 1, seconds 300; reference: url, github.com/rclone/rclone; reference: url, rclone.org; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012967; rev: 1;)
72
73alert tcp any any -> any any (msg: "TOOLS [PTsecurity] RClone tool SSH banner detected"; flow: established, to_server; content: "SSH-2.0-rclone"; depth: 14; nocase; threshold: type limit, track by_src, count 1, seconds 300; reference: url, github.com/rclone/rclone; reference: url, rclone.org; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012968; rev: 1;)
74
75alert tls any any -> any any (msg: "TOOLS [PTsecurity] loophole tunneling tool TLS request"; flow: established, to_server; tls.sni; content: "api.loophole.cloud"; nocase; threshold: type limit, track by_src, count 1, seconds 300; reference: url, loophole.cloud; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012975; rev: 1;)
76
77alert tls any any -> any any (msg: "TOOLS [PTsecurity] Telebit tunnel TLS request"; flow: established, to_server; tls.sni; content: ".telebit.io"; nocase; threshold: type limit, track by_src, seconds 300, count 1; reference: url, telebit.cloud; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10012989; rev: 1;)
78
79alert tls any any -> any any (msg: "TOOLS [PTsecurity] Staqlab Tunnel TLS request"; flow: established, to_server; tls.sni; content: "tunnel-api.staqlab.com"; nocase; threshold: type limit, track by_src, seconds 300, count 1; reference: url, tunnel.staqlab.com; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10013531; rev: 1;)
80
81alert tcp any any -> any any (msg: "TOOLS [PTsecurity] Pinggy Tunnel"; flow: established, from_server; content: "SSH-"; depth: 4; nocase; content: "-Pinggy.IO"; within: 19; nocase; reference: url, pinggy.io; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10013586; rev: 1;)