Rules
rulesptopen-tools.rules
6.85 KBModified 2024-11-14 12:36
1alert tcp any any -> any any (msg: "TOOLS [PTsecurity] xfreerdp/vinagre/remmina RDP client"; flow: established, to_server, no_stream; content: "|03 00|"; depth: 2; content: "Duca"; distance: 0; content: "|01 C0|"; distance: 2; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|04 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|02 C0|"; within: 2; byte_extract: 2, 0, CLIENTNETWORKDATALEN, relative, little; isdataat: !CLIENTNETWORKDATALEN, relative; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 10005928; rev: 3;)
2
3alert tcp any any -> any any (msg: "TOOLS [PTsecurity] xfreerdp/remmina RDP client"; flow: established, to_server, no_stream; content: "|03 00|"; depth: 2; content: "Duca"; distance: 0; content: "|01 C0|"; distance: 2; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|04 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|02 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|03 C0|"; within: 2; byte_extract: 2, 0, CLIENTNETWORKDATALEN, relative, little; isdataat: !CLIENTNETWORKDATALEN, relative; pcre: "/(?:^.{4}cliprdr.{5}$|^.{4}drdynvc.{5}$|^.{4}rdpdr.{7}rdpsnd.{6}(?:drdynvc.{5}$|cliprdr|$))/R"; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 10005952; rev: 3;)
4
5alert dns any any -> any any (msg: "TOOLS [PTsecurity] Burp Suite tool activity. polling.portswigger.net resolve"; dns_query; content: "polling.portswigger.net"; reference: url, rules.ptsecurity.com; classtype: bad-unknown; sid: 10006023; rev: 3;)
6
7alert dns any any -> any any (msg: "TOOLS [PTsecurity] Burp Suite tool activity. burpcollaborator.net resolve"; dns_query; content: "burpcollaborator.net"; reference: url, rules.ptsecurity.com; classtype: bad-unknown; sid: 10006024; rev: 3;)
8
9alert tcp any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool activity"; flow: established, to_server; content: "croc"; depth: 4; content: !"|00|"; within: 1; content: "|00 00|"; distance: 2; within: 2; threshold: type both, track by_src, count 10, seconds 120; reference: url, github.com/schollz/croc; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10011012; rev: 1;)
10
11alert udp any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool activity (UDP multicast)"; content: "croc90"; dsize: 8; threshold: type limit, track by_src, count 1, seconds 120; reference: url, rules.ptsecurity.com; reference: url, github.com/schollz/croc; classtype: attempted-admin; sid: 10011013; rev: 1;)
12
13alert dns any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool domain resolve"; dns_query; content: "croc"; content: "schollz.com"; pcre: "/^croc.?\.schollz\.com$/"; reference: url, rules.ptsecurity.com; reference: url, github.com/schollz/croc; classtype: attempted-admin; sid: 10011014; rev: 1;)
14
15alert dns any any -> any any (msg: "TOOLS [PTsecurity] getCroc domain resolve (file transfer tool download)"; dns_query; content: "getcroc.schollz.com"; reference: url, rules.ptsecurity.com; reference: url, github.com/schollz/croc; classtype: attempted-admin; sid: 10011015; rev: 1;)
16
17alert tls any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool download"; tls_sni; content: "getcroc.schollz.com"; reference: url, rules.ptsecurity.com; reference: url, github.com/schollz/croc; classtype: attempted-admin; sid: 10011016; rev: 1;)
18
19alert tcp any any -> any any (msg: "TOOLS [PTsecurity] gsocket client activity"; flow: to_server, established, no_stream; dsize: 128; stream_size: client, <, 500; stream_size: server, <, 100; content: "|02|"; depth: 1; offset: 0; content: !"|00|"; within: 2; content: "|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance: 3; within: 28; content: !"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within: 16; content: "|00 00 00 00|"; distance: 16; within: 4; content: "|00 00 00 00|"; isdataat: !1, relative; reference: url, gsocket.io; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10009304; rev: 4;)
20
21alert tcp any any -> any any (msg: "TOOLS [PTsecurity] gsocket server activity"; flow: to_server, established, no_stream; dsize: 128; stream_size: client, <, 500; stream_size: server, <, 100; content: "|01|"; depth: 1; offset: 0; content: !"|00|"; within: 2; content: "|00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; distance: 3; within: 12; content: !"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within: 16; content: !"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance: 16; within: 16; content: "|00 00 00 00|"; distance: 32; within: 4; content: "|00 00 00 00|"; isdataat: !1, relative; reference: url, rules.ptsecurity.com; reference: url, gsocket.io; classtype: attempted-admin; sid: 10009305; rev: 5;)
22
23alert dns any any -> any any (msg: "TOOLS [PTsecurity] .gs.thc.org domain resolve. Probably gsocket activity"; dns_query; content: ".gs.thc.org"; reference: url, rules.ptsecurity.com; reference: url, gsocket.io; classtype: attempted-admin; sid: 10009306; rev: 1;)
24
25alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "TOOLS [PTsecurity] Empire Request"; flow: established, to_server; content: "POST"; http_method; content: "HTTP/1.1|0d0a|Cookie: session="; depth: 1000; fast_pattern; content: "=|0d0a|User-Agent: "; distance: 27; within: 400; content: "Host: "; within: 400; content: "Content-Length: 462|0d0a|"; within: 400; content: !"Referer|3a|"; http_header; content: !"Content-Type: "; http_header; reference: url, https://www.hybrid-analysis.com/sample/52404b26bb9fe6e27ea3efbcbfd66712d33ab5b7f62c27fb823c430eccb12cb3/?environmentId=100; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10002268; rev: 10;)
26
27alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "TOOLS [PTsecurity] Empire"; flow: established, to_client; content: "200"; http_stat_code; content: "If($PSVersionTable.PSVersion.Major -ge 3){"; http_server_body; nocase; depth: 1000; content: "$GPS=[ref].Assembly.GetType("; http_server_body; nocase; within: 100; content: "System.Management.Automation.Utils"; http_server_body; within: 100; reference: url, https://www.hybrid-analysis.com/sample/cbf244479304572782de8ab375671da632012777c7bcf0b0e252958bff03dca4/?environmentId=100; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10002269; rev: 7;)
28
29alert http any any -> any any (msg: "SHELL [PTsecurity] CobaltStrike"; flow: established, to_server; content: "POST"; http.uri; content: "/uploads/"; content: ".jpg?timestamp="; distance: 0; http.header; content: "Accept-Encoding: gzip"; content: "User-Agent: ixwebsocket"; content: "windows ssl"; content: "Content-Type: application/x-www-form-urlencoded"; reference: url, https://www.virustotal.com/gui/file/bd3e5af30087dc60849da000412fb719825c7e06e4f75639b95f188407d26f96/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011361; rev: 2;)