├── README.md ├── RYUK ├── cobaltstrike_c2s.txt └── ryuk.yar └── TRICKBOT ├── trickbot-exfil.pcap └── trickbot.rules /README.md: -------------------------------------------------------------------------------- 1 | # Threat intelligence and threat detections 2 | 3 | This repo contains threat intelligence information and threat detection indicators (IOC, IOA) shared by [Swisscom CSIRT](https://twitter.com/swisscom_csirt). 4 | 5 | | Content | Indicators | Communication | 6 | | :--- | :--- | :--- | 7 | | Ryuk CobalStrike C2's | [cobaltstrike_c2s.txt](https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt), [ryuk.yar](https://github.com/swisscom/detections/blob/main/RYUK/ryuk.yar) | [Tweet](https://twitter.com/swisscom_csirt/status/1321777140992516096) | 8 | | Trickbot Network Activity | [Suricata Rule](https://github.com/swisscom/detections/blob/main/TRICKBOT/trickbot.rules), [trickbot-exfil.pcap](https://github.com/swisscom/detections/blob/main/TRICKBOT/trickbot-exfil.pcap)| [Tweet](https://twitter.com/swisscom_csirt/status/1332339058912206850) | 9 | -------------------------------------------------------------------------------- /RYUK/cobaltstrike_c2s.txt: -------------------------------------------------------------------------------- 1 | 108.62.12[.]105 2 | 108.62.12[.]114 3 | 108.62.12[.]116 4 | 108.62.12[.]119 5 | 108.62.12[.]121 6 | 108.177.235[.]53 7 | 108.62.12[.]12 8 | 172.241.27[.]65 9 | 172.241.27[.]68 10 | 172.241.27[.]70 11 | 45.153.241[.]1 12 | 45.138.172[.]95 13 | 45.147.229[.]52 14 | 45.147.229[.]68 15 | 45.147.229[.]92 16 | 45.147.230[.]87 17 | 45.147.229[.]180 18 | 45.147.230[.]131 19 | 45.147.230[.]132 20 | 45.147.230[.]133 21 | 45.147.230[.]140 22 | 45.147.230[.]141 23 | 45.147.230[.]159 24 | 45.147.231[.]222 25 | 45.153.240[.]136 26 | 45.153.240[.]138 27 | 45.153.240[.]157 28 | 45.153.240[.]178 29 | 45.153.240[.]194 30 | 45.153.240[.]220 31 | 45.153.240[.]222 32 | 45.153.240[.]240 33 | 45.153.241[.]138 34 | 45.153.241[.]158 35 | 74.118.138[.]115 36 | 74.118.138[.]137 37 | 74.118.138[.]138 38 | 74.118.138[.]139 -------------------------------------------------------------------------------- /RYUK/ryuk.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule RANSOM_RYUK_DROPPER: RANSOMWARE RYUK 4 | { 5 | meta: 6 | Description="Detects specific Microsoft PE Signature used by RYUK DROPPERS" 7 | Author="Swisscom CSIRT" 8 | Date="2020-10-29" 9 | 10 | condition: 11 | uint16(0x00) == 0x5a4d and pe.version_info["ProductName"] contains "Microsoft Corp. SAPI5 samples" 12 | 13 | } -------------------------------------------------------------------------------- /TRICKBOT/trickbot-exfil.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/swisscom/detections/128e2fab11215cd8cb84d81d5ddd4b3075e9f8f0/TRICKBOT/trickbot-exfil.pcap -------------------------------------------------------------------------------- /TRICKBOT/trickbot.rules: -------------------------------------------------------------------------------- 1 | # Trickbot 2 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TROJAN Win32/Trickbot Data Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:"name=\"proclist\"";content:"svchost.exe";content:"name=\"sysinfo\"";content:"ipconfig";content:"net view /all";content:"nltest";distance:0; reference:md5,f99adab7b2560097119077b99aceb40d; classtype:trojan-activity; sid:1001001;rev:1; ) 3 | 4 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TROJAN Win32/Trickbot Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/yas8/";http_uri;content:"User-Agent|3a 20|Winhttp 1/0"; http_header; reference:md5,f99adab7b2560097119077b99aceb40d; classtype:trojan-activity; sid:1001002;rev:1; ) 5 | 6 | 7 | --------------------------------------------------------------------------------