The last few days I have seen the Rig Exploit Kit traffic on the networks I look after. Fireeye has been doing a decent job and picking up the traffic.
There has been a good article written by Sans Storm Centre that can do a far better job than myself of explaining and analyzing the traffic.
So there is quite a simple rule that can be written in RSA to identify this type of traffic.
You rule can be setup as follows
query contains 'PrfJxzFGMSUb'
The string has been present in the traffic I have seen on the networks I look after and various pcaps available. If you look at the strings closely you will see there are several parts of the query that appear to be in common.
So far I have had great success with this effective but simple rule.
This rule was written to help identify any exploits being made for the MySQL vulnerability recently found http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-6662-advisory-recent-mysql-code-executionprivilege-escalation-zero-day-vulnerability/
So I have created a rule that contains the following.
MySQL exploit attempt CVE-2016-6662
query contains 'unhex' || query contains '67656e6572616c5f6c6f675f66696c65' || query contains '2e636e66' || query contains '6e6d616c6c6f635f6c6962' || query contains 'global_log_dir' || query contains 'nmalloc_lib' || extension = 'cnf'
I looked at the snort rules from the emerging threat ruleset and looked for the relevant content that could be used to search for on RSA and this is what I came up with.
This has generated a few false positives based on the hex values, but so far I’m happy with what it has been identifying