-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdevilstongue.rules
23 lines (20 loc) · 6.27 KB
/
devilstongue.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Created by Steven Drenning @ Quadrant Information Security
alert tcp any any -> $HOME_NET any (msg:"[DevilsTongue] FileHash For Physmem.sys Detected"; content:"event_type|22 3a 22|fileinfo"; content:"c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d"; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware; classtype:trojan-activity; sid:10000358; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"[DevilsTongue] File "WimBootConfigurations.ini" Detected"; content:"event_type|22 3a 22|fileinfo"; content:"WimBootConfigurations.ini";nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware; classtype:trojan-activity; sid:10000359; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"noc-service-streamer.com"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000360; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"fbcdnads.live"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000361; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"hilocake.info"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000362; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"backxercise.com"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000363; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"winmslaf.xyz"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000364; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"service-deamon.com"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000365; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"online-affiliate-mon.com"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000366; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"codeingasmylife.com"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000367; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"kenoratravels.com"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000368; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"weathercheck.digital"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000369; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"colorpallatess.com"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000370; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"library-update.com"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000371; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"online-source-validate.com"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000372; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"grayhornet.com"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000373; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"johnshopkin.net"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000374; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"eulenformacion.com "; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000375; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"[DevilsTongue] DNS Query"; dns.query; content:"pochtarossiy.info"; nocase; reference:url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/; classtype:trojan-activity; sid:10000376; rev:1;)