In this 6
part series, we analyzed a recent phishing attempt through an email which
was sent to me. In the first
post we looked at the email. The second
post we did an analysis using Wireshark. In the third
post we did some basic static analysis. In the fourth
post we performed some basic dynamic analysis. In the fifth
post, we performed some basic memory analysis. In this post we put it all
together writing rules for our IPS (snort) and SIEM (QRadar) devices
Now that we've perform the analysis, let's use what we've
gathered to defend our infrastructure.
In post
4 we identified the following
1. Packet 3
and 4 shows the DNS request and response for "projetglory.awardspace.com"
respectively. This is similar to what was reported by InetSim.
2. Packets 5 to 7 shows the TCP connection being setup with the host which hosting "projetglory.awardspace.com".
7. In packet 20 a HTTP GET request was made for " miniuk1.pmg". This all confirms what was shown in the InetSim log file
Writing the snort rule ...
These rules will be placed in the "local.rules" file
This rule looks for the DNS request for shahlart.com
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Malicious DNS Request - shahlart.com"; content:"shahlart|03|com"; classtype:trojan-activity; reference:url,securitynik.blogspot.com; Priority:1; sid:4000001;)
This rule looks for the DNS request for projetglory.awardspace.com
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Malicious DNS Request - projetglory.awardspace.com"; content:"|70 72 6f 6a 65 74 67 6c 6f 72 79 0a|awardspace|03|com"; classtype:trojan-activity; reference:url,securitynik.blogspot.com; Priority:1; sid:4000002;)
This rule focuses on HTTP traffic
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ADP Phishing GET Request - shahlart"; content:"User-Agent|3a 20|mupdate"; content:"/miniuk1.pmg"; classtype:trojan-activity; detection_filter: track by_src, count 1, seconds 86400; reference:url,securitynik.blogspot.com; Priority:1; sid:4000003;)
Now that we have our IPS (snort) rule, let's develop a SIEM (QRadar) rule.
For this we will use a "Common Rule". A common rule is one which can run tests against either logs or flows (or both). To create this rule let's do the following:
1. From the "Offense" tab, select Rules2. From the "Action" menu select "New Common Rule"3. Click "Next" then build the rule
2. Packets 5 to 7 shows the TCP connection being setup with the host which hosting "projetglory.awardspace.com".
https://www.snort.org/
3. Once the connection was established the HTTP GET request was made to download "/fichiers/miniuk1.pmg"
4. In packet 11 we see this request was successful via the "HTTP/1.1 200 OK"
5. In packet 15 and 16, we see the DNS request and response for shalhart.com.
6. Once the name was resolved
we see in packet 17-19 a connection was setup to shalhart.com.7. In packet 20 a HTTP GET request was made for " miniuk1.pmg". This all confirms what was shown in the InetSim log file
Writing the snort rule ...
These rules will be placed in the "local.rules" file
This rule looks for the DNS request for shahlart.com
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Malicious DNS Request - shahlart.com"; content:"shahlart|03|com"; classtype:trojan-activity; reference:url,securitynik.blogspot.com; Priority:1; sid:4000001;)
This rule looks for the DNS request for projetglory.awardspace.com
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Malicious DNS Request - projetglory.awardspace.com"; content:"|70 72 6f 6a 65 74 67 6c 6f 72 79 0a|awardspace|03|com"; classtype:trojan-activity; reference:url,securitynik.blogspot.com; Priority:1; sid:4000002;)
This rule focuses on HTTP traffic
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ADP Phishing GET Request - shahlart"; content:"User-Agent|3a 20|mupdate"; content:"/miniuk1.pmg"; classtype:trojan-activity; detection_filter: track by_src, count 1, seconds 86400; reference:url,securitynik.blogspot.com; Priority:1; sid:4000003;)
Now that we have our IPS (snort) rule, let's develop a SIEM (QRadar) rule.
For this we will use a "Common Rule". A common rule is one which can run tests against either logs or flows (or both). To create this rule let's do the following:
1. From the "Offense" tab, select Rules2. From the "Action" menu select "New Common Rule"3. Click "Next" then build the rule
From the above we are keeping the rule simple, we are looking for traffic going to destination host 50.87.164.13 on destination port 80. In addition we are looking for payload that contains the string /miniuk1.pmg
From the above rule response, the things which I configure most important are:
1. Create a new event when traffic relating to our rule is seen
2. Ensure the dispatched event is part of an offense
3. ensure an email is sent to sec@securitynik.com
4. We will also throttle the alerts to ensure we respond only 1 time per 24 hours per unique source.
5. Finally we ensure the rule is enabled
The above represents a summary of our rule.
This concludes this series. Hope you enjoyed it as we went from the initial email which was received to analyzing enough to be able to develop rules for both our IPS (snort) and or SIEM (QRadar).
.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.
adp.pcap - 4cfd352a3c890873d20a33d35fffed25
invoice1211_pdf82.zip - 05fc7646cf11b6e7fb124782daf9fb53
http://www.snort.org
http://www-03.ibm.com/software/products/en/qradar-siem/
Hello Nik,
ReplyDeleteCould you provide us with the malware for us to do the same tests? For learning purposes too.
Thanks
Shaqe,
DeleteI've attached the .pcap and the .zip files to all the posts in this series. You will need to extract the .exe from the .zip. I put the packet capture so that you can probably analyze it as you like