mandiant / sunburst_countermeasures Goto Github PK
View Code? Open in Web Editor NEWLicense: BSD 2-Clause "Simplified" License
License: BSD 2-Clause "Simplified" License
11385275378891906608 : carbonblack
13693525876560827283 : carbonblackk
18246404330670877335 : cbstream
Thanks to @cybercdh for the tooling.
Hi
Can we add the links to the Beacon Decoder located here:
https://github.com/RedDrip7/SunBurst_DGA_Decode
With passive DNS data here:
https://github.com/bambenek/research/tree/main/sunburst
Br
Marc
edit: beacon...not bacon...
Nevermind, please remove.
All snort rules I've taken a look so far use a wrong first match for content:"T "; offset:2; depth:3;
that is separately matched to the actual "GET /..." URLs.
A simple "GET /swip/Events" would suffice (as even the HTTP/1 suffix is unnecessary, actually). Depending on the final rule parser and software, some IDS might cause false positive alerts because of this.
Mandiant gives the error: unencapsulated OpenIOC format
Redline tells me the IOCs are malformed.
From Redline Support:
The IOCs that you downloaded from FireEye's GitHub site is OpenIOC version 1.1. Redline currently only supports the OpenIOC version 1.0 standard.
OpenIOC 3.2.0 supports OpenIOC version 1.1 format, so that is why you were able to open then in that program.
OpenIOC 1.1 standard is not backward-compatible with 1.0.
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
11266044540366291518 : connection
6116246686670134098 : content-type
9007106680104765185 : referer
5449730069165757263 : blacklight
506634811745884560 : reflector
Thanks to @cybercdh for the tooling.
msmpeng : 5183687599225757871
aka Microsoft Security Essentials
csfalconcontainer 9061219083560670602
csfalconservice 8698326794961817906
aka this is looking for CrowdStrike
I am trying to add this detection in Cisco FireAMP. I am getting an error messsage "Content invalid characters in signature". Unsure if this is a syntax issue or a problem with FireAMP.
Thoughts on how to fix this?
ClamAV seems to experience issues when reading the ruleset from APT_Dropper_Raw64_TEARDROP_1.yar
on Ubuntu 18.04.5 LTS. All other Yara rulesets work without issues.
$ clamscan -ir -d APT_Dropper_Raw64_TEARDROP_1.yar /
LibClamAV Error: parse_yara_hex_string: Single byte subpatterns unsupported in ClamAV
LibClamAV Error: load_oneyara: error in parsing yara hex string
LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.APT_Dropper_Raw64_TEARDROP_1
LibClamAV Warning: cli_loadyara: problem parsing yara file APT_Dropper_Raw64_TEARDROP_1.yar, yara rule APT_Dropper_Raw64_TEARDROP_1
LibClamAV Error: Can't load APT_Dropper_Raw64_TEARDROP_1.yar: Malformed database
ERROR: Malformed database
----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.006 sec (0 m 0 s)
$ clamscan --version
ClamAV 0.102.4/26024/Mon Dec 21 13:48:10 2020
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.