topic How to stop MortiAgent Malware using the snort rule ? in Custom Signatures https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/m-p/326590#M347 <P><FONT face="verdana,geneva" size="2">I want to stop the MortiAgent malware by applying /using snort rule &amp; also using yara rule?</FONT></P><P>&nbsp;</P><P><FONT face="verdana,geneva" size="2">How to configure this in Palo alto ?</FONT></P><P>&nbsp;</P><P><FONT face="verdana,geneva" size="2">Below are snort &amp; Yara Rules:</FONT></P><P>&nbsp;</P><P><FONT face="verdana,geneva" size="2">1. The below SNORT rule can be used to detect the MoriAgent Beacon.</FONT><BR /><FONT face="verdana,geneva" size="2">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:" MoriAgent Beacon</FONT><BR /><FONT face="verdana,geneva" size="2">HTTP Request"; content:"/Index.php?i="; depth:200; content:"&amp;t="; within:64;</FONT><BR /><FONT face="verdana,geneva" size="2">content:"HTTP/1.1"; within:64; content:"Content-Type: application/json"; within:32;</FONT><BR /><FONT face="verdana,geneva" size="2">content:"Content-Length: 0"; within:90; threshold:type limit,track by_src,count</FONT><BR /><FONT face="verdana,geneva" size="2">1,seconds 120; sid:1000001; rev:001;)</FONT></P><P><FONT face="verdana,geneva" size="2">2. Below are YARA rules to detect POWERSTATS.</FONT><BR /><FONT face="verdana,geneva" size="2">YARA rule to detect the substitution table used in PowerShell code.</FONT><BR /><FONT face="verdana,geneva" size="2">rule SubstitutionTable_in_PowerShell {</FONT><BR /><FONT face="verdana,geneva" size="2">meta:</FONT><BR /><FONT face="verdana,geneva" size="2">description = "Detect the substitution table used in PowerShell code (2019-2020)"</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "A18016AF1E9ACDA5963112EE8BEEB28B"</FONT><BR /><FONT face="verdana,geneva" size="2">strings:</FONT><BR /><FONT face="verdana,geneva" size="2">$a1 = "Replace('(','a'"</FONT><BR /><FONT face="verdana,geneva" size="2">$a2 = "Replace(')','b'"</FONT><BR /><FONT face="verdana,geneva" size="2">$a3 = "Replace('{','c'"</FONT><BR /><FONT face="verdana,geneva" size="2">$a4 = "Replace('}','d'"</FONT><BR /><FONT face="verdana,geneva" size="2">$a5 = "Replace('[','e'"</FONT><BR /><FONT face="verdana,geneva" size="2">$a6 = "Replace(']','f'"</FONT><BR /><FONT face="verdana,geneva" size="2">condition:</FONT><BR /><FONT face="verdana,geneva" size="2">$a1 and</FONT><BR /><FONT face="verdana,geneva" size="2">$a2 in (@a1..@a1+200) and</FONT><BR /><FONT face="verdana,geneva" size="2">$a3 in (@a1..@a1+200) and</FONT><BR /><FONT face="verdana,geneva" size="2">$a4 in (@a1..@a1+200) and</FONT><BR /><FONT face="verdana,geneva" size="2">$a5 in (@a1..@a1+200) and</FONT><BR /><FONT face="verdana,geneva" size="2">$a6 in (@a1..@a1+200) and</FONT><BR /><FONT face="verdana,geneva" size="2">filesize &lt; 100000</FONT><BR /><FONT face="verdana,geneva" size="2">}</FONT><BR /><FONT face="verdana,geneva" size="2">YARA rule to detect PowerStats backdoor.</FONT><BR /><FONT face="verdana,geneva" size="2">rule POWERSTATS_JscriptLauncher {</FONT><BR /><FONT face="verdana,geneva" size="2">meta:</FONT><BR /><FONT face="verdana,geneva" size="2">description = "POWERSTATS Jscript Launcher"</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "6C97A39A7FFC292BAF8BE1391FCE7DA0"</FONT><BR /><FONT face="verdana,geneva" size="2">strings:</FONT><BR /><FONT face="verdana,geneva" size="2">$a1 = "$s=(get-content"</FONT><BR /><FONT face="verdana,geneva" size="2">$a2 = "Get('Win32_Process').Create(cm"</FONT><BR /><FONT face="verdana,geneva" size="2">$a3 = "var cm="</FONT><BR /><FONT face="verdana,geneva" size="2">condition:</FONT><BR /><FONT face="verdana,geneva" size="2">all of them and filesize &lt; 600</FONT><BR /><FONT face="verdana,geneva" size="2">}</FONT></P><P><BR /><FONT face="verdana,geneva" size="2">YARA rule to detect PowerStats de-obfuscated</FONT><BR /><FONT face="verdana,geneva" size="2">rule POWERSTATSLite {</FONT><BR /><FONT face="verdana,geneva" size="2">meta:</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "A18016AF1E9ACDA5963112EE8BEEB28B"</FONT><BR /><FONT face="verdana,geneva" size="2">strings:</FONT><BR /><FONT face="verdana,geneva" size="2">$a1 = "$global:key"</FONT><BR /><FONT face="verdana,geneva" size="2">$a2 = "$global:time"</FONT><BR /><FONT face="verdana,geneva" size="2">$a3 = "webreq = [System.Net.WebRequest]::Create($url)"</FONT><BR /><FONT face="verdana,geneva" size="2">condition:</FONT><BR /><FONT face="verdana,geneva" size="2">all of them and filesize &lt; 3000</FONT><BR /><FONT face="verdana,geneva" size="2">}</FONT></P><P><FONT face="verdana,geneva" size="2">YARA rule to detect MoriAgent implant</FONT><BR /><FONT face="verdana,geneva" size="2">rule MoriAgent {</FONT><BR /><FONT face="verdana,geneva" size="2">meta:</FONT><BR /><FONT face="verdana,geneva" size="2">description = "C++ MuddyWater implant"</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "12755B210EC1171045144480ACD05AA8"</FONT><BR /><FONT face="verdana,geneva" size="2">strings:</FONT><BR /><FONT face="verdana,geneva" size="2">$f1 = "|x7d873iqq" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f2 = "ljyfiiwnskt" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f3 = "htssjhy" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f4 = "kwjjfiiwnskt" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f5 = "hqtxjxthpjy" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f6 = "\\XFXyfwyzu" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f7 = "\\XFHqjfszu" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f8 = "ZmilXzwkm{{Umuwz" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f9 = "^qz|}itXzw|mk|" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f10 = "_zq|mXzwkm{{Umuwz" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$content = "Content-Type: application/json" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">condition:</FONT><BR /><FONT face="verdana,geneva" size="2">uint16(0) == 0x5A4D and filesize &lt; 2MB and</FONT><BR /><FONT face="verdana,geneva" size="2">$content and 5 of ($f*)</FONT><BR /><FONT face="verdana,geneva" size="2">}</FONT></P><P><BR /><FONT face="verdana,geneva" size="2">YARA rule to detect PowerStats Implants</FONT><BR /><FONT face="verdana,geneva" size="2">rule POWERSTATS_Implants</FONT><BR /><FONT face="verdana,geneva" size="2">{ meta:</FONT><BR /><FONT face="verdana,geneva" size="2">description = "Detects all POWERSTATS implants"</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "A18016AF1E9ACDA5963112EE8BEEB28B"</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "409558610BE62655FBA0B1F93F2D9596" hash =</FONT><BR /><FONT face="verdana,geneva" size="2">"DD32B95F865374C31A1377E31FA79E87" strings:</FONT><BR /><FONT face="verdana,geneva" size="2">$a1 = "if ($resp -ne $null){"</FONT><BR /><FONT face="verdana,geneva" size="2">$a2 = "out = $_.Exception.Message"</FONT><BR /><FONT face="verdana,geneva" size="2">$a3 = "IEX $cmd -ErrorAction SilentlyContinue"</FONT><BR /><FONT face="verdana,geneva" size="2">condition:</FONT><BR /><FONT face="verdana,geneva" size="2">all of them and filesize &lt; 50000</FONT><BR /><FONT face="verdana,geneva" size="2">}</FONT></P> Thu, 07 May 2020 08:04:19 GMT Mohammed_Yasin 2020-05-07T08:04:19Z How to stop MortiAgent Malware using the snort rule ? https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/m-p/326590#M347 <P><FONT face="verdana,geneva" size="2">I want to stop the MortiAgent malware by applying /using snort rule &amp; also using yara rule?</FONT></P><P>&nbsp;</P><P><FONT face="verdana,geneva" size="2">How to configure this in Palo alto ?</FONT></P><P>&nbsp;</P><P><FONT face="verdana,geneva" size="2">Below are snort &amp; Yara Rules:</FONT></P><P>&nbsp;</P><P><FONT face="verdana,geneva" size="2">1. The below SNORT rule can be used to detect the MoriAgent Beacon.</FONT><BR /><FONT face="verdana,geneva" size="2">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:" MoriAgent Beacon</FONT><BR /><FONT face="verdana,geneva" size="2">HTTP Request"; content:"/Index.php?i="; depth:200; content:"&amp;t="; within:64;</FONT><BR /><FONT face="verdana,geneva" size="2">content:"HTTP/1.1"; within:64; content:"Content-Type: application/json"; within:32;</FONT><BR /><FONT face="verdana,geneva" size="2">content:"Content-Length: 0"; within:90; threshold:type limit,track by_src,count</FONT><BR /><FONT face="verdana,geneva" size="2">1,seconds 120; sid:1000001; rev:001;)</FONT></P><P><FONT face="verdana,geneva" size="2">2. Below are YARA rules to detect POWERSTATS.</FONT><BR /><FONT face="verdana,geneva" size="2">YARA rule to detect the substitution table used in PowerShell code.</FONT><BR /><FONT face="verdana,geneva" size="2">rule SubstitutionTable_in_PowerShell {</FONT><BR /><FONT face="verdana,geneva" size="2">meta:</FONT><BR /><FONT face="verdana,geneva" size="2">description = "Detect the substitution table used in PowerShell code (2019-2020)"</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "A18016AF1E9ACDA5963112EE8BEEB28B"</FONT><BR /><FONT face="verdana,geneva" size="2">strings:</FONT><BR /><FONT face="verdana,geneva" size="2">$a1 = "Replace('(','a'"</FONT><BR /><FONT face="verdana,geneva" size="2">$a2 = "Replace(')','b'"</FONT><BR /><FONT face="verdana,geneva" size="2">$a3 = "Replace('{','c'"</FONT><BR /><FONT face="verdana,geneva" size="2">$a4 = "Replace('}','d'"</FONT><BR /><FONT face="verdana,geneva" size="2">$a5 = "Replace('[','e'"</FONT><BR /><FONT face="verdana,geneva" size="2">$a6 = "Replace(']','f'"</FONT><BR /><FONT face="verdana,geneva" size="2">condition:</FONT><BR /><FONT face="verdana,geneva" size="2">$a1 and</FONT><BR /><FONT face="verdana,geneva" size="2">$a2 in (@a1..@a1+200) and</FONT><BR /><FONT face="verdana,geneva" size="2">$a3 in (@a1..@a1+200) and</FONT><BR /><FONT face="verdana,geneva" size="2">$a4 in (@a1..@a1+200) and</FONT><BR /><FONT face="verdana,geneva" size="2">$a5 in (@a1..@a1+200) and</FONT><BR /><FONT face="verdana,geneva" size="2">$a6 in (@a1..@a1+200) and</FONT><BR /><FONT face="verdana,geneva" size="2">filesize &lt; 100000</FONT><BR /><FONT face="verdana,geneva" size="2">}</FONT><BR /><FONT face="verdana,geneva" size="2">YARA rule to detect PowerStats backdoor.</FONT><BR /><FONT face="verdana,geneva" size="2">rule POWERSTATS_JscriptLauncher {</FONT><BR /><FONT face="verdana,geneva" size="2">meta:</FONT><BR /><FONT face="verdana,geneva" size="2">description = "POWERSTATS Jscript Launcher"</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "6C97A39A7FFC292BAF8BE1391FCE7DA0"</FONT><BR /><FONT face="verdana,geneva" size="2">strings:</FONT><BR /><FONT face="verdana,geneva" size="2">$a1 = "$s=(get-content"</FONT><BR /><FONT face="verdana,geneva" size="2">$a2 = "Get('Win32_Process').Create(cm"</FONT><BR /><FONT face="verdana,geneva" size="2">$a3 = "var cm="</FONT><BR /><FONT face="verdana,geneva" size="2">condition:</FONT><BR /><FONT face="verdana,geneva" size="2">all of them and filesize &lt; 600</FONT><BR /><FONT face="verdana,geneva" size="2">}</FONT></P><P><BR /><FONT face="verdana,geneva" size="2">YARA rule to detect PowerStats de-obfuscated</FONT><BR /><FONT face="verdana,geneva" size="2">rule POWERSTATSLite {</FONT><BR /><FONT face="verdana,geneva" size="2">meta:</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "A18016AF1E9ACDA5963112EE8BEEB28B"</FONT><BR /><FONT face="verdana,geneva" size="2">strings:</FONT><BR /><FONT face="verdana,geneva" size="2">$a1 = "$global:key"</FONT><BR /><FONT face="verdana,geneva" size="2">$a2 = "$global:time"</FONT><BR /><FONT face="verdana,geneva" size="2">$a3 = "webreq = [System.Net.WebRequest]::Create($url)"</FONT><BR /><FONT face="verdana,geneva" size="2">condition:</FONT><BR /><FONT face="verdana,geneva" size="2">all of them and filesize &lt; 3000</FONT><BR /><FONT face="verdana,geneva" size="2">}</FONT></P><P><FONT face="verdana,geneva" size="2">YARA rule to detect MoriAgent implant</FONT><BR /><FONT face="verdana,geneva" size="2">rule MoriAgent {</FONT><BR /><FONT face="verdana,geneva" size="2">meta:</FONT><BR /><FONT face="verdana,geneva" size="2">description = "C++ MuddyWater implant"</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "12755B210EC1171045144480ACD05AA8"</FONT><BR /><FONT face="verdana,geneva" size="2">strings:</FONT><BR /><FONT face="verdana,geneva" size="2">$f1 = "|x7d873iqq" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f2 = "ljyfiiwnskt" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f3 = "htssjhy" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f4 = "kwjjfiiwnskt" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f5 = "hqtxjxthpjy" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f6 = "\\XFXyfwyzu" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f7 = "\\XFHqjfszu" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f8 = "ZmilXzwkm{{Umuwz" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f9 = "^qz|}itXzw|mk|" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$f10 = "_zq|mXzwkm{{Umuwz" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">$content = "Content-Type: application/json" ascii fullword</FONT><BR /><FONT face="verdana,geneva" size="2">condition:</FONT><BR /><FONT face="verdana,geneva" size="2">uint16(0) == 0x5A4D and filesize &lt; 2MB and</FONT><BR /><FONT face="verdana,geneva" size="2">$content and 5 of ($f*)</FONT><BR /><FONT face="verdana,geneva" size="2">}</FONT></P><P><BR /><FONT face="verdana,geneva" size="2">YARA rule to detect PowerStats Implants</FONT><BR /><FONT face="verdana,geneva" size="2">rule POWERSTATS_Implants</FONT><BR /><FONT face="verdana,geneva" size="2">{ meta:</FONT><BR /><FONT face="verdana,geneva" size="2">description = "Detects all POWERSTATS implants"</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "A18016AF1E9ACDA5963112EE8BEEB28B"</FONT><BR /><FONT face="verdana,geneva" size="2">hash = "409558610BE62655FBA0B1F93F2D9596" hash =</FONT><BR /><FONT face="verdana,geneva" size="2">"DD32B95F865374C31A1377E31FA79E87" strings:</FONT><BR /><FONT face="verdana,geneva" size="2">$a1 = "if ($resp -ne $null){"</FONT><BR /><FONT face="verdana,geneva" size="2">$a2 = "out = $_.Exception.Message"</FONT><BR /><FONT face="verdana,geneva" size="2">$a3 = "IEX $cmd -ErrorAction SilentlyContinue"</FONT><BR /><FONT face="verdana,geneva" size="2">condition:</FONT><BR /><FONT face="verdana,geneva" size="2">all of them and filesize &lt; 50000</FONT><BR /><FONT face="verdana,geneva" size="2">}</FONT></P> Thu, 07 May 2020 08:04:19 GMT https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/m-p/326590#M347 Mohammed_Yasin 2020-05-07T08:04:19Z