Monday, December 1, 2014

Detailed analysis of an ADP Invoice Phishing Attempt - IPS (Snort) and SIEM (QRadar) Rules

In this 6 part series, we analyzed a recent phishing attempt through an email which was sent to me. In the first post we looked at the email. The second post we did an analysis using Wireshark. In the third post we did some basic static analysis. In the fourth post we performed some basic dynamic analysis. In the fifth post, we performed some basic memory analysis. In this post we put it all together writing rules for our IPS (snort) and SIEM (QRadar) devices

Now that we've perform the analysis, let's use what we've gathered to defend our infrastructure.
In post 4  we identified the following
1.            Packet 3 and 4 shows the DNS request and response for "" respectively. This is similar to what was reported by InetSim.
2.            Packets 5 to 7 shows the TCP connection being setup with the host which hosting "".
3.            Once the connection was established the HTTP GET request was made to download "/fichiers/miniuk1.pmg"
4.            In packet 11 we see this request was successful via the "HTTP/1.1 200 OK"
5.            In packet 15 and 16, we see the DNS request and response for
6.            Once the name was resolved we see in packet 17-19 a connection was setup to
7.            In packet 20 a HTTP GET request was made for " miniuk1.pmg". This all confirms what was shown in the InetSim log file
Writing the snort rule ...
These rules will be placed in the "local.rules" file
This rule looks for the DNS request for

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Malicious DNS Request -"; content:"shahlart|03|com"; classtype:trojan-activity; reference:url,; Priority:1; sid:4000001;)

This rule looks for the DNS request for

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Malicious DNS Request -"; content:"|70 72 6f 6a 65 74 67 6c 6f 72 79 0a|awardspace|03|com"; classtype:trojan-activity; reference:url,; Priority:1; sid:4000002;)

This rule focuses on HTTP traffic

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ADP Phishing GET Request - shahlart"; content:"User-Agent|3a 20|mupdate"; content:"/miniuk1.pmg";  classtype:trojan-activity; detection_filter: track by_src, count 1, seconds 86400; reference:url,; 
Priority:1; sid:4000003;)

Now that we have our IPS (snort) rule, let's develop a SIEM (QRadar) rule.
For this we will use a "Common Rule". A common rule is one which can run tests against either logs or flows (or both). To create this rule let's do the following:

1. From the "Offense" tab, select Rules
2. From the "Action" menu select "New Common Rule"3. Click "Next" then build the rule

From the above we are keeping the rule simple, we are looking for traffic going to destination host on destination port 80. In addition we 
are looking for payload that contains the string /miniuk1.pmg

From the above rule response, the things which I configure most important are:

1. Create a new event when traffic relating to our rule is seen
2. Ensure the dispatched event is part of an offense
3. ensure an email is sent to
4. We will also throttle the alerts to ensure we respond only 1 time per 24 hours per unique source.
5. Finally we ensure the rule is enabled

The above represents a summary of our rule.

This concludes this series. Hope you enjoyed it as we went from the initial email which was received to analyzing enough to be able to develop rules for both our IPS (snort) and or SIEM (QRadar).

.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.
adp.pcap - 4cfd352a3c890873d20a33d35fffed25 - 05fc7646cf11b6e7fb124782daf9fb53 



  1. Hello Nik,

    Could you provide us with the malware for us to do the same tests? For learning purposes too.


    1. Shaqe,
      I've attached the .pcap and the .zip files to all the posts in this series. You will need to extract the .exe from the .zip. I put the packet capture so that you can probably analyze it as you like