"value":"alert tcp any any -> any any ( sid:2000210015; msg:\"P.A.S. webshell - passwd BruteForce form parameters\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"br=&brp%5B%5D=\"; http_client_body; fast_pattern; \\\r\n pcre:\"/br=&brp%5B%5D=[hfmysp]&h%5B[hfmysp]%5D=.{1,64}&p%5B[hfmysp]%5D=[0-9]{1,5}/\"; http_client_body;)"
},
{
"category":"Network activity",
"comment":"",
"deleted":false,
"disable_correlation":false,
"timestamp":"1613462523",
"to_ids":true,
"type":"snort",
"uuid":"407b6ae2-b350-49b4-84a3-c60706c3de45",
"value":"alert tcp any any -> any any ( sid:2000210001; msg:\"P.A.S. webshell - Explorer - download file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fdw=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210002; msg:\"P.A.S. webshell - Explorer - copy file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fcf=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210003; msg:\"P.A.S. webshell - Explorer - move file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fm=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210004; msg:\"P.A.S. webshell - Explorer - del file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fd=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210005; msg:\"P.A.S. webshell - Explorer - multi file download\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fdwa=Download\"; http_client_body; )\r\n\r\nalert tcp any any -> any any ( sid:2000210006; msg:\"P.A.S. webshell - Explorer - multi file copy\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fca=Copy\"; http_client_body;)\r\n\r\nalert tcp any any -> any any ( sid:2000210007; msg:\"P.A.S. webshell - Explorer - multi file move\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fma=Move\"; http_client_body; )\r\n\r\nalert tcp any any -> any any ( sid:2000210008; msg:\"P.A.S. webshell - Explorer - multi file delete\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fda=Delete\"; http_client_body; ) \r\n\r\nalert tcp any any -> any any ( sid:2000210009; msg:\"P.A.S. webshell - Explorer - paste\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fbp=Paste\"; http_client_body; offset:0; )"
},
{
"category":"Network activity",
"comment":"",
"deleted":false,
"disable_correlation":false,
"timestamp":"1613462557",
"to_ids":true,
"type":"snort",
"uuid":"9a2728e5-a907-4904-8067-9c373924678b",
"value":"alert tcp any any -> any any ( sid:2000210000; msg:\"P.A.S. webshell - Response Footer\"; \\\r\n flow:to_client,established; content:\"200\"; http_stat_code; \\\r\n file_data; content:\"<fieldset class=\\\"footer\\\"><table width=\\\"100%\\\" border=\\\"0\\\"><tr><td>P.A.S. v\";)"
},
{
"category":"Network activity",
"comment":"",
"deleted":false,
"disable_correlation":false,
"timestamp":"1613462580",
"to_ids":true,
"type":"snort",
"uuid":"817b4025-2723-4ec0-9a81-5be8713c9504",
"value":"alert tcp any any -> any any ( sid:2000210012; msg:\"P.A.S. webshell - Network Tools - Bind Port\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"pb=\"; offset:0; http_client_body; \\\r\n pcre:\"/pb=[0-9]{1,5}&nt=bp/\"; )\r\n\r\nalert tcp any any -> any any ( sid:2000210013; msg:\"P.A.S. webshell - Network Tools - Back-connect\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"hbc=\"; offset:0; http_client_body; \\\r\n pcre:\"/hbc=[a-z0-9.-]{4,63}&pbc=[0-9]{1,5}&nt=bc/\"; )\r\n\r\nalert tcp any any -> any any ( sid:2000210014; msg:\"P.A.S. webshell - Network Tools - Port scanner\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"hs=\"; offset:0; http_client_body; \\\r\n pcre:\"/hs=[a-z0-9.-]{4,63}&pf=[0-9]{1,5}&pl=[0-9]{1,5}&sc=[0-9]{1,5}&nt=ps/\"; )"
},
{
"category":"Network activity",
"comment":"",
"deleted":false,
"disable_correlation":false,
"timestamp":"1613462602",
"to_ids":true,
"type":"snort",
"uuid":"daa160ad-5a32-45be-b252-8d23058982ab",
"value":"alert tcp any any -> any any ( sid:2000211001; msg:\"P.A.S. webshell - Password cookie\"; \\\r\n flow:established; content:\"g__g_=\"; http_cookie; offset:0; )\r\n \r\nalert tcp any any -> any any ( sid:2000211002; msg:\"P.A.S. webshell - Password form var\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"g__g_=\"; http_cookie; http_client_body; offset:0; )"
},
{
"category":"Network activity",
"comment":"",
"deleted":false,
"disable_correlation":false,
"timestamp":"1613462623",
"to_ids":true,
"type":"snort",
"uuid":"78938c6b-8c68-4363-aa87-739e5869f753",
"value":"alert tcp any any -> any any ( sid:2000210016; msg:\"P.A.S. webshell - Bind shell session\"; \\\r\n content:\"Hello from P.A.S. Bind Port\"; )\r\n\r\nalert tcp any any -> any any ( sid:2000210017; msg:\"P.A.S. webshell - Reverse shell session\"; \\\r\n content:\"Hello from P.A.S. BackConnect\"; )"
},
{
"category":"Network activity",
"comment":"",
"deleted":false,
"disable_correlation":false,
"timestamp":"1613462643",
"to_ids":false,
"type":"snort",
"uuid":"3ece03fc-263e-4d22-b34f-fd2035ba23c2",
"value":"alert tcp any any -> any any ( sid:2000210010; msg:\"P.A.S. webshell - Searcher form parameters\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fsr=\"; offset:0; fast_pattern; \\\r\n pcre:\"/fe=&fsr=[0-2]&fst=[0-2]&fsn=(\\*|[A-Za-z0-9 *._%-]+)&fsp=[A-Za-z0-9 *._%-]+&fs=%3E&fss=.*/\";)"
},
{
"category":"Network activity",
"comment":"",
"deleted":false,
"disable_correlation":false,
"timestamp":"1613462667",
"to_ids":false,
"type":"snort",
"uuid":"aeb6cc44-bf59-4d86-a682-1f1515766bf6",
"value":"alert tcp any any -> any any ( sid:2000210011; msg:\"P.A.S. webshell - SQL-client connect parameters\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"sc%5Btp%5D=\"; offset:0; http_client_body; fast_pattern; \\\r\n pcre:\"/sc%5Btp%5D=(mysql|mssql|pg)&sc%5Bha%5D=/\"; http_client_body;)"
},
{
"category":"Targeting data",
"comment":"",
"deleted":false,
"disable_correlation":false,
"timestamp":"1613463516",
"to_ids":false,
"type":"target-org",
"uuid":"f769a073-b68f-4bc5-a69d-46b06d6e9e5d",
"value":"Centreon"
}
],
"Object":[
{
"comment":"Linux/Exaramel backdoor",
"deleted":false,
"description":"File object describing a file with meta-information",
"value":"/* configuration file */\r\n\r\nrule exaramel_configuration_key {\r\n\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Encryption key for the configuration file in sample e1ff72[...]\"\r\n\t\tTLP = \"White\"\r\n\r\n\tstrings:\r\n\t\t$ = \"odhyrfjcnfkdtslt\"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule exaramel_configuration_name_encrypted {\r\n\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Name of the configuration file in sample e1ff72[...]\"\r\n\t\tTLP = \"White\"\r\n\r\n\tstrings:\r\n\t\t$ = \"configtx.json\"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule exaramel_configuration_file_plaintext {\r\n\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Content of the configuration file (plaintext)\"\r\n\t\tTLP = \"White\"\r\n\r\n\tstrings:\r\n\t\t$ = /{\"Hosts\":\\[\".{10,512}\"\\],\"Proxy\":\".{0,512}\",\"Version\":\".{1,32}\",\"Guid\":\"/\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule exaramel_configuration_file_ciphertext {\r\n\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Content of the configuration file (encrypted with key odhyrfjcnfkdtslt, sample e1ff72[...]\"\r\n\t\tTLP = \"White\"\r\n\r\n\tstrings:\r\n\t\t$ = {6F B6 08 E9 A3 0C 8D 5E DD BE D4} // encrypted with key odhyrfjcnfkdtslt\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\n/* persistence */\r\n\r\nprivate rule exaramel_persistence_file_systemd {\r\n\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Beginning of the file /etc/systemd/system/syslogd.service created for persistence with systemd\"\r\n\t\tTLP = \"White\"\r\n\r\n\tstrings:\r\n\t\t$ = /\\[Unit\\]\\nDescription=Syslog daemon\\n\\n\\[Service\\]\\nWorkingDirectory=.{1,512}\\nExecStartPre=\\/bin\\/rm \\-f \\/tmp\\/\\.applocktx\\n/\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nprivate rule exaramel_persistence_file_upstart {\r\n\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Part of the file /etc/init/syslogd.conf created for persistence with upstart\"\r\n\t\tTLP = \"White\"\r\n\r\n\tstrings:\r\n\t\t$ = /start on runlevel \\[2345\\]\\nstop on runlevel \\[06\\]\\n\\nrespawn\\n\\nscript\\nrm \\-f \\/tmp\\/\\.applocktx\\nchdir/\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nprivate rule exaramel_persistence_file_systemv {\r\n\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Part of the file /etc/init.d/syslogd created for persistence with upstart\"\r\n\t\tTLP = \"White\"\r\n\r\n\tstrings:\r\n\t\t$ = \"# Short-Description: Syslog service for monitoring \\n### END INIT INFO\\n\\nrm -f /tmp/.applocktx && cd \"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule exaramel_persistence_file {\r\n\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"File created for persistence. Depends on the environment\"\r\n\t\tTLP = \"White\"\r\n\r\n\tcondition:\r\n\t\texaramel_persistence_file_systemd or exaramel_persistence_file_upstart or exaramel_persistence_file_systemv\r\n}\r\n\r\n/* misc */\r\n\r\nrule exaramel_socket_path {\r\n\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Path of the unix socket created to prevent concurrent executions\"\r\n\t\tTLP = \"White\"\r\n\r\n\tstrings:\r\n\t\t$ = \"/tmp/.applocktx\"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule exaramel_task_names {\r\n\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Name of the tasks received by the CC\"\r\n\t\tTLP = \"White\"\r\n\r\n\tstrings:\r\n\t\t$ = \"App.Delete\"\r\n\t\t$ = \"App.SetServer\"\r\n\t\t$ = \"App.SetProxy\"\r\n\t\t$ = \"App.SetTimeout\"\r\n\t\t$ = \"App.Update\"\r\n\t\t$ = \"IO.ReadFile\"\r\n\t\t$ = \"IO.WriteFile\"\r\n\t\t$ = \"OS.ShellExecute\"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule exaramel_struct {\r\n\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Beginning of type _type struct for some of the most important structs\"\r\n\t\tTLP = \"White\"\r\n\r\n\tstrings:\r\n\t\t$struct_le_config={70000000000000005800000000000000472d
}
]
},
{
"comment":"PAS webshell",
"deleted":false,
"description":"An object describing a YARA rule (or a YARA rule name) along with its version.",
"value":"rule PAS_webshell_ZIPArchiveFile {\r\n\r\n meta:\r\n author = \"FR/ANSSI/SDO\"\r\n description = \"Detects an archive file created by P.A.S. for download operation\"\r\n TLP = \"White\"\r\n\r\n strings:\r\n $ = /Archive created by P\\.A\\.S\\. v.{1,30}\\nHost: : .{1,200}\\nDate : [0-9]{1,2}-[0-9]{1,2}-[0-9]{4}/\r\n\r\n condition:\r\n all of them\r\n}"
}
]
},
{
"comment":"",
"deleted":false,
"description":"Metadata used to generate an executive level report",
"value":"The following indicators, SNORT rules and YARA rules are from ANSSI\u2019s analysis of an intrusion campaign targeting the monitoring software Centreon attributed to the intrusion set Sandworm which resulted in the breach of several French entities. This intrusion campaign is described in the following report CERTFR-2021-CTI-005. These technical elements are provided to help detecting malicious activities in logs, on systems and inside live network trafic. Every detection with these elements cannot be considered as a proof of intrusion and should be investigated to confirm. Some elements are detecting tools shared between several attackers so their detection is not sufficient to link an intrusion to this campaign. ANSSI is interested in every incident discovered and linked to this campaign."