# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp $HOME_NET any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/Events HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600832; rev:1;)
alert tcp $HOME_NET any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600833; rev:1;)
alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:".avsvmcloud.com"; distance:0; sid:77600842; rev:1;)
alert tcp $HOME_NET any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"swip/Upload.ashx HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600843; rev:1;)
alert tcp $HOME_NET any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/"; within:75; content:" HTTP/1."; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600844; rev:1;)
alert tcp any any <> any 443 (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"avsvmcloud.com"; distance:0; sid:77600845; rev:1;)
alert tcp any any <> any 443 (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"digitalcollege.org"; within:50; sid:77600846; rev:1;)
alert tcp any any <> any 443 (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"freescanonline.com"; within:50; sid:77600847; rev:1;)
alert tcp any any <> any 443 (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"deftsecurity.com"; within:50; sid:77600848; rev:1;)
alert tcp any any <> any 443 (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"thedoccloud.com"; within:50; sid:77600849; rev:1;)
alert tcp any any <> any 443 (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"virtualdataserver.com"; within:50; sid:77600850; rev:1;)
alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"digitalcollege.org"; within:100; sid:77600851; rev:1;)
alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"freescanonline.com"; within:100; sid:77600852; rev:1;)
alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"deftsecurity.com"; within:100; sid:77600853; rev:1;)
alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"thedoccloud.com"; within:100; sid:77600854; rev:1;)
alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"virtualdataserver.com"; within:100; sid:77600855; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"|00 01 00 00|"; offset:4; depth:4; content:"|0b|appsync-api"; distance:0; content:"|09|"; within:1; content:"-"; distance:2; within:1; content:"st"; distance:2; within:2; content:"|0a|avsvmcloud|03|com"; distance:0; content:!"|00 00 0B 61 70 70 73 79 6E 63 2D 61 70 69|"; sid:77600868; rev:1;)
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"incomeupdate.com"; sid:77600840; rev:1;)
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"zupertech.com"; sid:77600863; rev:1;)
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"databasegalore.com"; sid:77600864; rev:1;)
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"panhardware.com"; sid:77600865; rev:1;)
alert tcp $HOME_NET any -> any any (msg:"Backdoor.BEACON"; content:"POST"; depth:4; content:"|0d 0a 0d 0a|name=\""; content:"\"\;filename=\""; content:"\"|0a|Content-Type:"; sid:77600837; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; content:"HTTP/1."; depth:7; content:"Server: nginx/1.14.0 (Ubuntu)"; distance:0; content:"Connection: close"; distance:0; content:"Cache-Control: max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options: nosniff"; distance:0; content:"X-AspNetMvc-Version: 3.0"; distance:0; content:"X-AspNet-Version: 4.0.30319"; distance:0; content:"X-Powered-By: ASP.NET"; distance:0; content:"Content-Length: "; content:"|0d 0a|"; distance:6; within:4; sid:77600856; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; sid:77600857; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Companies-Best-Man-Vendors-Best</p>"; sid:77600858; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<meta name=\"msvalidate.01\" content=\"ECEE9516DDABFC7CCBBF1EACC04CAC20\">"; content:"<meta name=\"google-site-verification\" content=\"CD5EF1FCB54FE29C838ABCBBE0FA57AE\">"; sid:77600859; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Million-Support-Years-Week-Agents</p>"; sid:77600860; rev:1;)
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"websitetheme.com"; sid:77600866; rev:1;)