# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/red_team_tool_countermeasures/blob/master/LICENSE.txt
alert tcp any $HTTP_PORTS -> any any (msg:"Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; flow:from_server,established; content:"{\"navgd\":\"<div class=gnt_n_dd_ls_w><div class=gnt_n_dd_nt>ONLY AT USA TODAY:</div><div class=gnt_n_dd_ls><a class=gnt_n_dd_ls_a href=https://supportlocal.usatoday.com/"; sid:25894; rev:1;)
alert tcp any $HTTP_PORTS -> any any (msg:"Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; content:"HTTP/1."; depth:7; content:"Connection: close"; content:"Content-Type: application/json\; charset=utf-8"; content:"Content-Security-Policy: upgrade-insecure-requests"; content:"Strict-Transport-Security: max-age=10890000"; content:"Cache-Control: public, immutable, max-age=315360000"; content:"Accept-Ranges: bytes"; content:"X-Cache: HIT, HIT"; content:"X-Timer: S1593010188.776402,VS0,VE1"; content:"Vary: X-AbVariant, X-AltUrl, Accept-Encoding"; sid:25893; rev:1;)
alert tcp any $HTTP_PORTS -> any any (msg:"Backdoor.HTTP.BEACON.[CSBundle Original Server]"; content:"HTTP/1."; depth:7; content:"Content-Type: text/json|0d 0a|"; content:"Server: Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By: ASP.NET|0d 0a|"; content:"Cache-Control: no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma: no-cache|0d 0a|"; content:"X-Frame-Options: SAMEORIGIN|0d 0a|"; content:"Connection: close|0d 0a|"; content:"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":"; sid:25874; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET]"; content:"GET"; depth:3; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US,en\;q=0.5"; content:"nyt-a="; content:"nyt-gdpr=0\;nyt-purr=cfh\;nyt-geo=US}"; fast_pattern; content:"|0d 0a|Cookie:"; pcre:"/^GET\s(?:\/ads\/google|\/vi-assets\/static-assets|\/v1\/preferences|\/idcta\/translations|\/v2\/preferences)/"; sid:25881; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[CSBundle Original Stager]"; content:"T "; offset:2; depth:3; content:"Accept: */*"; content:"Accept-Language: en-US"; content:"Accept-Encoding: gzip, deflate"; content:"Cookie: SIDCC=AN0-TYutOSq-fxZK6e4kagm70VyKACiG1susXcYRuxK08Y-rHysliq0LWklTqjtulAhQOPH8uA"; pcre:"/\/api\/v1\/user\/(?:512|124)\/avatar/"; sid:25879; rev:1;)
alert tcp any any -> any any (msg:"Backdoor.HTTP.GORAT.[SID1]"; content:"GET"; depth:3; content:"|0d 0a|Cookie: SID1="; content:!"|0d 0a|Referer:"; content:!"|0d 0a|Accept"; sid:25848; rev:1;)
alert tcp any $HTTP_PORTS -> any any (msg:"Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; content:"HTTP/1."; depth:7; content:"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":\""; sid:25887; rev:1;)
alert tcp any any -> any 443 (msg:"Backdoor.SSL.BEACON.[CSBundle Ajax]"; content:"|16 03|"; depth:2; content:"US"; content:"US"; distance:0; content:"ajax.microsoft.com"; content:"ajax.microsoft.com"; distance:0; content:"Seattle"; content:"Seattle"; distance:0; content:"Microsoft"; content:"Microsoft"; distance:0; content:"Information Technologies"; content:"Information Technologies"; distance:0; content:"WA"; content:"WA"; distance:0; sid:25873; rev:1;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[Yelp GET]"; flow:to_server; content:"GET "; depth:4; content:"&parent_request_id="; distance:0; within:256; fast_pattern; content:" HTTP/1"; distance:0; within:1024; content:"|0d 0a|Sec-Fetch-Dest: empty|0d 0a|"; distance:0; within:256; content:"request_origin=user"; offset:0; depth:256; pcre:"/^GET [^\r\n]{0,256}&parent_request_id=(?:[A-Za-z0-9_\/\+\-%]{128,1024})={0,2}[^\r\n]{0,256} HTTP\/1\.[01]/"; sid:33355045; rev:1;)
alert udp any 53 -> any any (msg:"Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|0a|_domainkey"; distance:0; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; distance:0; sid:25872; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[CSBundle CDN GET]"; content:"GET"; depth:3; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US|0d 0a|"; content:"client-="; content:"\;auth=1}"; content:"Cookie:"; pcre:"/^GET\s(?:\/v1\/queue|\/v1\/profile|\/v1\/docs\/wsdl|\/v1\/pull)/"; sid:25890; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[CSBundle USAToday GET]"; content:"GET"; depth:3; content:"Connection: close|0d 0a|"; content:"Accept: */*|0d 0a|"; content:"gnt_ub=86\;gnt_sb=18\;usprivacy=1YNY\;DigiTrust.v1.identity="; content:"%3D\;GED_PLAYLIST_ACTIVITY=W3sidSI6IkZtTWUiLCJ0c2wiOjE1OTMwM\;"; content:"Cookie:"; pcre:"/^GET\s(?:\/USAT-GUP\/user\/|\/entertainment\/|\/entertainment\/navdd-q1a2z3Z6TET4gv2PNfXpaJAniOzOajK7M\.min\.json|\/global-q1a2z3C4M2nNlQYzWhCC0oMSEFjQbW1KA\.min\.json|\/life\/|\/news\/weather\/|\/opinion\/|\/sports\/|\/sports\/navdd-q1a2z3JHa8KzCRLOQAnDoVywVWF7UwxJs\.min\.json|\/tangstatic\/js\/main-q1a2z3b37df2b1\.min\.js|\/tangstatic\/js\/pbjsandwich-q1a2z300ab4198\.min\.js|\/tangstatic\/js\/pg-q1a2z3bbc110a4\.min\.js|\/tangsvc\/pg\/3221104001\/|\/tangsvc\/pg\/5059005002\/|\/tangsvc\/pg\/5066496002\/|\/tech\/|\/travel\/)/"; sid:25892; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[CSBundle Original POST]"; content:"POST"; depth:4; content:"Accept: */*|0d 0a|"; content:"Accept-Language: en-US|0d 0a|"; content:"Accept-Encoding: gzip, deflate|0d 0a|"; content:"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\""; pcre:"/^POST\s(?:\/v4\/links\/check-activity\/check|\/v1\/stats|\/gql|\/api2\/json\/check\/ticket|\/1.5\/95648064\/storage\/history|\/1.5\/95648064\/storage\/tabs|\/u\/0\/_\/og\/botguard\/get|\/ev\/prd001001|\/ev\/ext001001|\/gp\/aw\/ybh\/handlers|\/v3\/links\/ping-beat\/check)/"; content:"ses-"; sid:25878; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; content:"POST /v1/push"; depth:13; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US|0d 0a|"; content:"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\""; content:"cli"; content:"l-"; sid:25891; rev:1;)
alert tcp any any -> any [139,445] (msg:"M.HackTool.SMB.Impacket-Obfuscation.[Service Names]"; content:"|ff 53 4d 42|"; offset:4; depth:4; pcre:"/(?:\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x55\x00\x70\x00\x64\x00\x61\x00\x74\x00\x65\x00\x20\x00\x43\x00\x6f\x00\x6e\x00\x74\x00\x72\x00\x6f\x00\x6c\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65|\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x31\x00\x30\x00\x20\x00\x44\x00\x65\x00\x66\x00\x65\x00\x6e\x00\x64\x00\x65\x00\x72|\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x4c\x00\x69\x00\x63\x00\x65\x00\x6e\x00\x73\x00\x65\x00\x20\x00\x4b\x00\x65\x00\x79\x00\x20\x00\x41\x00\x63\x00\x74\x00\x69\x00\x76\x00\x61\x00\x74\x00\x69\x00\x6f\x00\x6e|\x4f\x00\x66\x00\x66\x00\x69\x00\x63\x00\x65\x00\x20\x00\x33\x00\x36\x00\x35\x00\x20\x00\x50\x00\x72\x00\x6f\x00\x78\x00\x79|\x4d\x00\x69\x00\x63\x00\x72\x00\x6f\x00\x73\x00\x6f\x00\x66\x00\x74\x00\x20\x00\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x69\x00\x74\x00\x79\x00\x20\x00\x43\x00\x65\x00\x6e\x00\x74\x00\x65\x00\x72|\x4f\x00\x6e\x00\x65\x00\x44\x00\x72\x00\x69\x00\x76\x00\x65\x00\x20\x00\x53\x00\x79\x00\x6e\x00\x63\x00\x20\x00\x43\x00\x65\x00\x6e\x00\x74\x00\x65\x00\x72|\x42\x00\x61\x00\x63\x00\x6b\x00\x67\x00\x72\x00\x6f\x00\x75\x00\x6e\x00\x64\x00\x20\x00\x41\x00\x63\x00\x74\x00\x69\x00\x6f\x00\x6e\x00\x20\x00\x4d\x00\x61\x00\x6e\x00\x61\x00\x67\x00\x65\x00\x72|\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x65\x00\x20\x00\x54\x00\x6f\x00\x6b\x00\x65\x00\x6e\x00\x20\x00\x4d\x00\x65\x00\x73\x00\x73\x00\x61\x00\x67\x00\x69\x00\x6e\x00\x67\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65|\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x20\x00\x55\x00\x70\x00\x64\x00\x61\x00\x74\x00\x65)/R"; sid:25857; rev:1;)
alert tcp any $HTTP_PORTS -> any any (msg:"Backdoor.HTTP.BEACON.[CSBundle Original Stager 2]"; content:"HTTP/1."; depth:7; content:"Content-Type: text/json|0d 0a|"; content:"Server: Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By: ASP.NET|0d 0a|"; content:"Cache-Control: no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma: no-cache|0d 0a|"; content:"X-Frame-Options: SAMEORIGIN|0d 0a|"; content:"Connection: close|0d 0a|"; content:"Content-Type: image/gif"; content:"|01 00 01 00 00 02 01 44 00 3b|"; content:"|ff ff ff 21 f9 04 01 00 00 00 2c 00 00 00 00|"; content:"|47 49 46 38 39 61 01 00 01 00 80 00 00 00 00|"; sid:25880; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST]"; content:"POST"; depth:4; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US,en\;q=0.5"; content:"id-"; content:"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\""; pcre:"/^POST\s(?:\/track|\/api\/v1\/survey\/embed|\/svc\/weather\/v2)/"; sid:25885; rev:1;)
alert tcp any any -> any 88 (msg:"HackTool.TCP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; sid:25900; rev:1;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[Yelp Request]"; flow:to_server; content:"T "; depth:5; content:" HTTP/1"; distance:0; within:256; content:"Cookie: hl=en|3b|bse="; distance:0; within:256; fast_pattern; content:"|3b|_gat_global=1|3b|recent_locations|3b|_gat_www=1|3b||0d 0a|"; pcre:"/Cookie: hl=en\x3bbse=(?:[A-Za-z0-9_\/\+\-]{128,1024})={0,2}\x3b_gat_global=1\x3brecent_locations\x3b_gat_www=1\x3b\r\n/"; sid:62010239; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]"; content:"GET"; depth:3; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US|0d 0a|"; content:"sess-="; content:"auth=0\;loc=US}"; content:"Cookie:"; pcre:"/^GET\s(?:\/updates|\/license\/eula|\/docs\/office|\/software-activation)/"; sid:25886; rev:1;)
alert tcp any $HTTP_PORTS -> any any (msg:"Backdoor.HTTP.BEACON.[CSBundle Original Server 2]"; content:"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":"; sid:25875; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; content:"POST /notification"; depth:18; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US|0d 0a|"; content:"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\""; content:"nid"; content:"msg-"; sid:25889; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.BEACON.[CSBundle Original GET]"; content:"GET"; depth:3; content:"Accept: */*|0d 0a|"; content:"Accept-Language: en-US|0d 0a|"; content:"Accept-Encoding: gzip, deflate|0d 0a|"; content:"Cookie:"; content:"display-culture=en\;check=true\;lbcs=0\;sess-id="; distance:0; content:"\;SIDCC=AN0-TY21iJHH32j2m\;FHBv3=B"; pcre:"/^GET\s(?:\/api2\/json\/access\/ticket|\/api2\/json\/cluster\/resources|\/api2\/json\/cluster\/tasks|\/en-us\/p\/onerf\/MeSilentPassport|\/en-us\/p\/book-2\/8MCPZJJCC98C|\/en-us\/store\/api\/checkproductinwishlist|\/gp\/cerberus\/gv|\/gp\/aj\/private\/reviewsGallery\/get-application-resources|\/gp\/aj\/private\/reviewsGallery\/get-image-gallery-assets|\/v1\/buckets\/default\/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw\/records|\/v3\/links\/ping-centre|\/v4\/links\/activity-stream|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-includes\/js\/script\/indigo-migrate)/"; sid:25877; rev:1;)
alert tcp any $HTTP_PORTS -> any any (msg:"Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; flow:from_server,established; content:"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":\""; sid:25888; rev:1;)
alert tcp any $HTTP_PORTS -> any any (msg:"Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; flow:from_server,established; content:"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":\""; sid:25884; rev:1;)
alert udp any any -> any 88 (msg:"HackTool.UDP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; sid:25902; rev:1;)
alert udp any 53 -> any any (msg:"Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|03|"; within:15; content:"|0a|_domainkey"; distance:3; within:11; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; sid:25866; rev:1;)
alert tcp any any -> any 88 (msg:"HackTool.TCP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; sid:25899; rev:1;)
alert tcp any $HTTP_PORTS -> any any (msg:"Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; content:"HTTP/1."; depth:7; content:"Accept-Ranges: bytes"; content:"Age: 5806"; content:"Cache-Control: public,max-age=31536000"; content:"Content-Encoding: gzip"; content:"Content-Length: 256398"; content:"Content-Type: application/javascript"; content:"Server: UploadServer"; content:"Vary: Accept-Encoding, Fastly-SSL"; content:"x-api-version: F-X"; content:"x-cache: HIT"; content:"x-Firefox-Spdy: h2"; content:"x-nyt-route: vi-assets"; content:"x-served-by: cache-mdw17344-MDW"; content:"x-timer: S1580937960.346550,VS0,VE0"; sid:25882; rev:1;)
alert tcp any $HTTP_PORTS -> any any (msg:"Backdoor.HTTP.BEACON.[CSBundle Original Server 3]"; content:"{\"alias\":\"apx\",\"prefix\":\"\",\"suffix\":null,\"suggestions\":[],\"responseId\":\"15QE9JX9CKE2P\",\"addon\": \""; content:"\",\"shuffled\":false}"; sid:25876; rev:1;)
alert udp any any -> any 88 (msg:"HackTool.UDP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; sid:25901; rev:1;)
alert tcp any any -> any any (msg:"Backdoor.HTTP.GORAT.[POST]"; content:"POST / HTTP/1.1"; depth:15; content:"Connection: upgrade"; content:"|0d 0a|Upgrade: tcp/1|0d 0a|"; content:!"|0d 0a|Referer:"; content:!"|0d 0a|Accept"; content:!"|0d 0a|Cookie:"; sid:25849; rev:1;)
alert tcp any any -> any any (msg:"HackTool.TCP.Rubeus.[User32LogonProcesss]"; flow:to_server; content:"User32LogonProcesss"; sid:100001; rev:1;)
alert tcp any any -> any any (msg:"Backdoor.HTTP.GORAT.[Build ID]"; content:"aqlKZ7wjzg0iKM00E1WB/jq9_RA46w91EKl9A02Dv/nbNdZiLsB1ci8Ph0fb64/9Ks1YxAE86iz9A0dUiDl"; sid:25850; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Backdoor.HTTP.GORAT.[POST Content]"; content:"POST"; depth:4; content:"|0d 0a 0d 0a|murica"; content:!"|0d 0a|Referer:"; content:!"|0d 0a|Accept"; content:!"|0d 0a|Cookie:"; sid:77600820; rev:4; )
alert tcp any $HTTP_PORTS -> any any (msg:"Backdoor.HTTP.GORAT.[HTTP Response]"; content:"HTTP/1."; depth:7; content:"|0d 0a 0d 0a|murica"; sid:77600821; rev:1; )
alert tcp any 443 -> any any ( msg:"Backdoor.HTTP.GORAT.[SSL Cert]"; content:"|16 03 03|"; depth:3; content:"ACME Shell Co.0"; content:"Z"; distance:0; content:"ACME Shell Co.0"; distance:0; sid:77600822; rev:4; )
alert tcp any any -> any 445 ( msg:"Backdoor.SMB.BASICPIPESHELL.[0b 00]"; content:"|fe|SMB"; offset:4; depth:4; content:"|0b 00|"; distance:8; within:2; content:"|70 00 69 00 70 00 65 00 73 00 68 00 65 00 6c 00 6c 00 2d 00 70 00 69 00 70 00 65 00 6e 00 61 00 6d 00 65 00|"; gid:666; sid:77600824; rev:1; )
alert tcp any any -> any 445 ( msg:"Backdoor.SMB.BASICPIPESHELL.[05 00]"; content:"|fe|SMB"; offset:4; depth:4; content:"|05 00|"; distance:8; within:2; content:"|70 00 69 00 70 00 65 00 73 00 68 00 65 00 6c 00 6c 00 2d 00 70 00 69 00 70 00 65 00 6e 00 61 00 6d 00 65 00|"; gid:666; sid:77600825; rev:1; )
alert tcp any 445 -> any any ( msg:"Backdoor.SMB.BASICPIPESHELL.[08 00]"; content:"|fe|SMB"; offset:4; depth:4; content:"|08 00|"; distance:8; within:2; content:"DQpTdGF0dXMgICBOYW1lICAgICAgICAgICAgICAgRGlzcGxheU5h"; gid:666; sid:77600828; rev:1; )