diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/README.md b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/README.md new file mode 100644 index 000000000..4ea905d24 --- /dev/null +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/README.md @@ -0,0 +1,23 @@ +# UNC4841 Exploiting Barracuda ESG Zero-Day Vulnerability + +## Summary + +On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that they engaged Mandiant to assist in the investigation. Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors. Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China. + +You can find more information on the threat in the following articles: + +- [Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China](https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally) +- [Barracuda ESG: CVE-2023-2868 Hardening Recommendations](https://mandiant.widen.net/s/qwlxddwdg6/barracuda-cve-2023-2868-hardening) + +## Rules + +- [UNC4841 - Email Exfiltration File Pattern](./file_event_lnx_apt_unc4841_exfil_mail_pattern.yml) +- [UNC4841 - Barracuda ESG Exploitation Indicators](./file_event_lnx_apt_unc4841_file_indicators.yml) +- [UNC4841 - SSL Certificate Exfiltration Via Openssl](./proc_creation_lnx_apt_unc4841_openssl_connection.yml) +- [UNC4841 - Download Compressed Files From Temp.sh Using Wget](./proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml) +- [UNC4841 - Download Tar File From Untrusted Direct IP Via Wget](./proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml) +- [UNC4841 - Potential SEASPY Execution](./proc_creation_lnx_atp_unc4841_seaspy_execution.yml) + +> **Note** +> +> The detection and hunting rules provided for this threat might produce false positives when used outside of the context of incident response or compromise assessment. They are meant to be run and executed on affected systems and environments to look for signs of compromise. diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml new file mode 100644 index 000000000..73a470476 --- /dev/null +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml @@ -0,0 +1,22 @@ +title: UNC4841 - Email Exfiltration File Pattern +id: 5627c337-a9b2-407a-a82d-5fd97035ff39 +status: experimental +description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration +references: + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/16 +tags: + - attack.execution + - attack.persistence + - attack.defense_evasion +logsource: + product: linux + category: file_event +detection: + selection: + TargetFilename|re: '/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\.tar\.gz' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml new file mode 100644 index 000000000..13f53ca5f --- /dev/null +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml @@ -0,0 +1,63 @@ +title: UNC4841 - Barracuda ESG Exploitation Indicators +id: 5627c337-a9b2-407a-a82d-5fd97035ff39 +status: experimental +description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation. +references: + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/16 +tags: + - attack.execution + - attack.persistence + - attack.defense_evasion +logsource: + product: linux + category: file_event +detection: + selection: + TargetFilename|endswith: + - '/11111.tar' + - '/aacore.sh' + - '/appcheck.sh' + - '/autoins' + - '/BarracudaMailService' + - '/etc/cron.daily/core_check.sh' + - '/etc/cron.daily/core.sh' + - '/etc/cron.hourly/aacore.sh' + - '/etc/cron.hourly/appcheck.sh' + - '/etc/cron.hourly/core.sh' + - '/get_fs_info.pl' + - '/imgdata.jpg' + - '/install_att_v2.tar' + - '/install_bvp74_auth.tar' + - '/install_helo.tar' + - '/install_reuse.tar' + - '/intent_helo' + - '/intent_reuse' + - '/intentbas' + - '/mknod' + - '/mod_attachment.lua' + - '/mod_content.lua' + - '/mod_require_helo.lua' + - '/mod_rtf' + - '/mod_sender.lua' + - '/mod_udp.so' + - '/nfsd_stub.ko' + - '/resize_reisertab' + - '/resize_risertab' + - '/resize2fstab' + - '/rverify' + - '/saslautchd' + - '/sendscd' + - '/snapshot.tar' + - '/tmp/p' + - '/tmp/p7' + - '/tmp/t' + - '/update_v2.sh' + - '/update_v31.sh' + - '/update_v35.sh' + - '/update_version' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml new file mode 100644 index 000000000..09a386649 --- /dev/null +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml @@ -0,0 +1,29 @@ +title: UNC4841 - SSL Certificate Exfiltration Via Openssl +id: 60911c07-f989-4362-84af-c609828ef829 +status: experimental +description: Detects the execution of "openssl" to connect to a direct IP. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command. +references: + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/16 +tags: + - attack.defense_evasion + - attack.t1140 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/openssl' + CommandLine|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + CommandLine|contains|all: + - 's_client' + - '-quiet' + - '-connect' + CommandLine|contains: + - ':443' + - ':8080' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml new file mode 100644 index 000000000..7c1098d33 --- /dev/null +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml @@ -0,0 +1,25 @@ +title: UNC4841 - Download Compressed Files From Temp.sh Using Wget +id: 60d050c4-e253-4d9a-b673-5ac100cfddfb +status: experimental +description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation. +references: + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/16 +tags: + - attack.defense_evasion + - attack.t1140 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/wget' + CommandLine|contains: 'https://temp.sh/' + CommandLine|endswith: + - '.rar' + - '.zip' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml new file mode 100644 index 000000000..bd11ff089 --- /dev/null +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml @@ -0,0 +1,47 @@ +title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget +id: 23835beb-ec38-4e74-a5d4-b99af6684e91 +status: experimental +description: Detects execution of "wget" to download a "tar" from a direct IP that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation. +references: + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/16 +tags: + - attack.defense_evasion + - attack.t1140 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/wget' + CommandLine|re: 'https://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + CommandLine|contains: '--no-check-certificate' + CommandLine|endswith: '.tar' + filter_local_ips: + # Note: Uncomment this filter if you want to exclude local IPs + CommandLine|contains: + - 'https://10.' #10.0.0.0/8 + - 'https://192.168.' #192.168.0.0/16 + - 'https://172.16.' #172.16.0.0/12 + - 'https://172.17.' + - 'https://172.18.' + - 'https://172.19.' + - 'https://172.20.' + - 'https://172.21.' + - 'https://172.22.' + - 'https://172.23.' + - 'https://172.24.' + - 'https://172.25.' + - 'https://172.26.' + - 'https://172.27.' + - 'https://172.28.' + - 'https://172.29.' + - 'https://172.30.' + - 'https://172.31.' + - 'https://127.' #127.0.0.0/8 + - 'https://169.254.' #169.254.0.0/16 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml new file mode 100644 index 000000000..666f56cf5 --- /dev/null +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml @@ -0,0 +1,23 @@ +title: UNC4841 - Potential SEASPY Execution +id: f6a711f3-d032-4f9e-890b-bbe776236c84 +status: experimental +description: Detects execution of a specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor +references: + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/16 +tags: + - attack.execution +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/BarracudaMailService' + - '/resize2fstab' + - '/resize_reisertab' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml index 15a14c0af..7931a51fe 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml @@ -4,8 +4,10 @@ status: experimental description: Detects suspicious process command line that uses base64 encoded input for execution with a shell references: - https://github.com/arget13/DDexec + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: pH-T (Nextron Systems) date: 2022/07/26 +modified: 2023/06/16 tags: - attack.defense_evasion - attack.t1140 @@ -14,7 +16,7 @@ logsource: category: process_creation detection: selection_base64: - CommandLine|contains: 'base64 -w0 ' + CommandLine|contains: 'base64 ' selection_exec: - CommandLine|contains: - '| bash ' @@ -22,11 +24,11 @@ detection: - '|bash ' - '|sh ' - CommandLine|endswith: + - ' |sh' - '| bash' - '| sh' - '|bash' - - ' |sh' - condition: selection_base64 and selection_exec + condition: all of selection_* falsepositives: - Legitimate administration activities level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml new file mode 100644 index 000000000..d60f1cb6e --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml @@ -0,0 +1,21 @@ +title: Named Pipe Created Via Mkfifo +id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 +status: experimental +description: Detects the creation of a new named pipe using the "mkfifo" utility +references: + - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/16 +tags: + - attack.execution +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/mkfifo' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml new file mode 100644 index 000000000..3eb9cc19e --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml @@ -0,0 +1,26 @@ +title: Named Pipe Created Via Mkfifo +id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a +related: + - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 + type: derived +status: experimental +description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location +references: + - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/16 +tags: + - attack.execution +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/mkfifo' + # Note: Add more potentially suspicious locations + CommandLine|contains: ' /tmp/' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index f7eb84dc4..6136eb2eb 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -9,6 +9,7 @@ references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ author: Nextron Systems date: 2022/06/03 +modified: 2023/06/16 tags: - attack.execution - attack.t1059 @@ -17,7 +18,11 @@ logsource: product: linux detection: selection_img: - Image|contains: + - Image|endswith: + - '/python' + - '/python2' + - '/python3' + - Image|contains: - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink - '/python3.' selection_cli_1: diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index 086c8de1c..cffd28155 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -6,7 +6,7 @@ references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt (Nextron Systems) date: 2021/12/09 -modified: 2023/06/07 +modified: 2023/06/15 tags: - attack.defense_evasion logsource: @@ -99,6 +99,9 @@ detection: CommandLine|contains|all: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe' - '/update UPDATEORCHESTRATOR displaylevel=False' + filter_optional_docker: + ParentImage: 'C:\Windows\System32\services.exe' + Image|endswith: 'com.docker.service' condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown