🐾 - 🚨 Possible Windows Installer / Bitsadmin or Desktopimgdownldr TLSv1.2 connection to FQDN - T1105 - Suricata Rule 3300209 (pawpatrules)

🐾 - 🚨 Possible Windows Installer / Bitsadmin or Desktopimgdownldr TLSv1.2 connection to FQDN - T1105

SID: 3300209Rev: 201 viewsHistory

Sourcepawpatrules

CreatedMay 18, 2023

UpdatedMarch 6, 2025

Classificationpolicy-violation

alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Possible Windows Installer / Bitsadmin or Desktopimgdownldr TLSv1.2 connection to FQDN - T1105"; flow:to_server, stateless; ja3.hash; content:"bd0bf25947d4a37404f0424edf4db9ad"; fast_pattern; tls_sni; content:!"microsoft.com"; endswith; nocase; content:!"live.com"; endswith; nocase; content:!"google.com"; endswith; nocase; content:!".ms"; endswith; nocase; content:!"libreoffice.org"; endswith; nocase; content:!"skype.com"; endswith; nocase; content:!"windows.net"; endswith; nocase; content:!"googleapis.com"; endswith; nocase; content:!"office.com"; endswith; nocase; content:!"azureedge.net"; endswith; nocase; content:!"sophosupd.com"; endswith; nocase; content:!"sophosxl.net"; endswith; nocase; content:!"sophos.com"; endswith; nocase; content:!"office.net"; endswith; nocase; content:!"jive.com"; endswith; nocase; content:!"adobe.com"; endswith; nocase; content:!"avast.com"; endswith; nocase; content:!"mozilla.org"; endswith; nocase; content:!".microsoft"; nocase; endswith; content:!".gvt1.com"; nocase; endswith; content:!".msedge.net"; nocase; endswith; content:!".msn.com"; nocase; endswith; content:!".microsoftonline.com"; nocase; endswith; content:!".windows.com"; nocase; endswith; content:!".bing.com"; nocase; endswith; content:!".mozilla.net"; nocase; endswith; reference:url,https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/#download; reference:url,https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/#download; reference:url,https://lolbas-project.github.io/lolbas/Binaries/Desktopimgdownldr/#download; reference:url,https://www.senseon.io/resource/resurgent-usb-malware-battling-raspberry-robin/; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer, created_at 2023_05_18, updated_at 2025_03_06; sid:3300209; rev:20; classtype:policy-violation;)

References

url	https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/#download
url	https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/#download
url	https://lolbas-project.github.io/lolbas/Binaries/Desktopimgdownldr/#download
url	https://www.senseon.io/resource/resurgent-usb-malware-battling-raspberry-robin/

Metadata

attack targetClient_and_Server

signature severityMajor

affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit

mitre tactic idTA0011

mitre tactic nameCommand_and_Control

mitre technique idT1105

mitre technique nameIngress_Tool_Transfer

created at2023_05_18

updated at2025_03_06

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!