Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introducing CENTS reporting module #605

Merged
merged 29 commits into from
Oct 18, 2021
Merged

Introducing CENTS reporting module #605

merged 29 commits into from
Oct 18, 2021

Conversation

zoomequipd
Copy link
Contributor

Support for automated Suricata rules based on extracted configurations with the initial implementation supporting Remcos, SquirrelWaffle, and TrickBot.

This feature will be presented in depth during SURICON

Jack Mott, Brandon Murphy, and Konstantin Klinger

Malware is increasingly using encryption and TLS for command-and-control network traffic. This increased adoption has resulted in difficulty when creating typical network intrusion detection signatures. However, it is often possible to extract the configuration of a malware sample including DGA seeds, C2 domains/ports, crypto keys, version number, etc. These details can be used to determine what post-exploitation or post-infection network communication can be expected from the malware in later stages of malware execution.

This presentation will demonstrate how to leverage existing extracted configuration parameters from Cape Sandbox to generate Suricata signatures. While this is easy on a per sample basis, any solution should be scalable and enable automatic signature creation for the most common malware families. Our proposed solution, CENTS – Configuration Extraction to Network Traffic Signatures, will demonstrate one method of achieving automated coverage for the most common malware families which use encryption and TLS.

Feel free to squash as needed.

klingerko and others added 29 commits September 13, 2021 15:19
@klingerko
initial CENTS setup
6564216 
* add reporting module modules/reporting/cents.py
  -> checks if we have an extracted malware config
  -> checks if we have a parser for the config
  -> creates Suricata rules
  -> writes ruleset to cents.rules
* add reporting module to config conf/reporting.conf
* make cents.rules ruleset available for download in UI
@klingerko
various update after our meeting
cdfbeec 
* add md5 of sample to rule (we can add a lot more info form the run)
* make start sid a config item
* move rule creation functions for each family in its own file and import it
* add basic cobalt strike bacon rule function
@klingerko
add trickbot and squirrelwaffle
c3a5257
@klingerko
add azorult
53b380e
@klingerko
deduplicate config dict list and return early if no rules have been c…
35574c1 
…reated
@zoomequipd
Merge pull request #1 from klingerko/cents
4f8543d 
initial CENTS setup
@zoomequipd
Merge branch 'kevoreilly:master' into master
661adbe
@zoomequipd
impliment remcos rules for CENTS - force DC3-MWCP parser to include t…
5189adb 
…he password
@zoomequipd
Merge branch 'master' of https://github.com/zoomequipd/CAPEv2
b097733
@zoomequipd
add squirrelwaffle signatures
f290d5e
@klingerko
add date of the analysis run of the sample to rules
a2dca54
@klingerko
add link to analysis to rule reference
ca01caf
@klingerko
only display cents download button if we have rules
e6a9b67
@klingerko
fix typo
26f71b7
@klingerko
fix path
3022794
@klingerko
reformat date to be align with ET format
1c79bed
@zoomequipd
Merge branch 'kevoreilly:master' into master
05b8bd2
@zoomequipd
Merge pull request kevoreilly#4 from klingerko/cents_downloadbutton
5c446ef 
only display cents download button if we have rules
@zoomequipd
Merge pull request kevoreilly#3 from klingerko/cents_dateinrule
a47e9d0 
add date of the analysis run of the sample to rules
@zoomequipd
Merge branch 'kevoreilly:master' into master
12726c6
@zoomequipd
trim incomplete malfamiles
6268cec
@klingerko
Merge branch 'master' into cents_taskid
1dadcee
@klingerko
move hostname to web.conf and cosmetic changes
e923df4
@zoomequipd
Merge pull request kevoreilly#2 from klingerko/cents_taskid
4b81537 
add link to analysis to rule reference
@zoomequipd
Merge branch 'kevoreilly:master' into master
b038cfe
@zoomequipd
Merge branch 'master' of https://github.com/zoomequipd/CAPEv2
c955868 
� Conflicts:
�	lib/cuckoo/common/cents/cents_azorult.py
�	lib/cuckoo/common/cents/cents_cobaltstrikebeacon.py
�	modules/reporting/cents.py
@zoomequipd
fix issuer --> issuerdn
eee1896
@zoomequipd
complete trickbot - remove azorult and cobaltstrike
9f0ac04
@klingerko
Merge pull request #1 from zoomequipd/master
1dd7e8a 
Introducing CENTS reporting module
@doomedraven doomedraven merged commit 29073d4 into kevoreilly:master Oct 18, 2021
@doomedraven
Copy link
Collaborator

nice stuff thank you a lot

@kevoreilly
Copy link
Owner

Awesome

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zoomequipd @doomedraven @kevoreilly @klingerko