From 19092d82f84794f0e63f668b101e25e3dd2c9aea Mon Sep 17 00:00:00 2001 From: johnk3r Date: Wed, 14 Jun 2023 10:05:08 -0300 Subject: [PATCH 1/3] Create quasar-rat-c2.yaml --- ssl/c2/quasar-rat-c2.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 ssl/c2/quasar-rat-c2.yaml diff --git a/ssl/c2/quasar-rat-c2.yaml b/ssl/c2/quasar-rat-c2.yaml new file mode 100644 index 0000000000..ee6e523208 --- /dev/null +++ b/ssl/c2/quasar-rat-c2.yaml @@ -0,0 +1,29 @@ +id: quasar-rat-c2 + +info: + name: Detect SSL Certificate Quasar RAT C2 + author: johnk3r + severity: info + description: | + Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. + reference: | + https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat + metadata: + max-request: 1 + verified: "true" + shodan-query: ssl.cert.subject.cn:"Quasar Server CA" + tags: c2,ir,osint,malware + +ssl: + - address: "{{Host}}:{{Port}}" + + matchers: + - type: word + part: issuer_cn + words: + - "Quasar Server CA" + + extractors: + - type: json + json: + - " .issuer_cn" From 886e444e3d46964eb151a026cd5bafd8fb0b352a Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 14 Jun 2023 20:01:09 +0530 Subject: [PATCH 2/3] minor -update --- ssl/c2/quasar-rat-c2.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ssl/c2/quasar-rat-c2.yaml b/ssl/c2/quasar-rat-c2.yaml index ee6e523208..be1e836a1e 100644 --- a/ssl/c2/quasar-rat-c2.yaml +++ b/ssl/c2/quasar-rat-c2.yaml @@ -2,7 +2,7 @@ id: quasar-rat-c2 info: name: Detect SSL Certificate Quasar RAT C2 - author: johnk3r + author: johnk3r,pussycat0x severity: info description: | Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. @@ -12,7 +12,8 @@ info: max-request: 1 verified: "true" shodan-query: ssl.cert.subject.cn:"Quasar Server CA" - tags: c2,ir,osint,malware + censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Orcus Server","OrcusServerCertificate"}' + tags: c2,ir,osint,malware,quasar,rat ssl: - address: "{{Host}}:{{Port}}" @@ -22,6 +23,8 @@ ssl: part: issuer_cn words: - "Quasar Server CA" + - "OrcusServerCertificate" + condition: or extractors: - type: json From 579fd894ae9d5c5e5e96e17e75f4912d6a2329a0 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 14 Jun 2023 20:07:08 +0530 Subject: [PATCH 3/3] lint & name - fix --- ssl/c2/quasar-rat-c2.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/c2/quasar-rat-c2.yaml b/ssl/c2/quasar-rat-c2.yaml index be1e836a1e..2bfbb82a05 100644 --- a/ssl/c2/quasar-rat-c2.yaml +++ b/ssl/c2/quasar-rat-c2.yaml @@ -1,7 +1,7 @@ id: quasar-rat-c2 info: - name: Detect SSL Certificate Quasar RAT C2 + name: Quasar RAT C2 SSL Certificate - Detect author: johnk3r,pussycat0x severity: info description: | @@ -24,7 +24,7 @@ ssl: words: - "Quasar Server CA" - "OrcusServerCertificate" - condition: or + condition: or extractors: - type: json