security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #3318 from SigmaHQ/rule-devel

Browse Source 
rule: myjino github repo compromise
This commit is contained in:
Florian Roth
2022-08-03 08:42:17 +02:00
committed by GitHub
parent 41bbb39f99 72dbfffc0f
commit 3c67479ce2
4 changed files with 57 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/network_connection/net_connection_github_myjino_ru.yml
+18
View File
@@ -0,0 +1,18 @@
title: Github Repo Compromise Domain MyJino RU
id: 242e0911-294a-44ea-a54e-7eea97aa2622
status: test
description: Detects connections to the host used in a big repository compromise discovered in August 2022
references:
- https://twitter.com/stephenlacy/status/1554697077430505473
date: 2022/08/03
author: Florian Roth
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname: 'ovz1.j19544519.pr46m.vps.myjino.ru'
condition: selection
falsepositives:
- Users looking up that domain after reading the report (unlikely)
level: high
rules/network/dns/net_dns_github_myjino_ru.yml
+18
View File
@@ -0,0 +1,18 @@
title: DNS Lookup Github Repo Compromise Domain MyJino RU
id: 6b0dd2e4-13ff-4eff-b79b-4444fad43644
status: test
description: Detects connections to the host used in a big repository compromise discovered in August 2022
references:
- https://twitter.com/stephenlacy/status/1554697077430505473
date: 2022/08/03
author: Florian Roth
logsource:
category: dns
detection:
selection:
query: 'ovz1.j19544519.pr46m.vps.myjino.ru'
condition: selection
falsepositives:
- Users looking up that domain after reading the report (unlikely)
- Web proxy or other security device DNS lookups of the domain
level: high
rules/windows/network_connection/net_connection_win_github_myjino_ru.yml
+19
View File
@@ -0,0 +1,19 @@
title: Github Repo Compromise Domain MyJino RU
id: 3a9f4c77-8e2e-45eb-abc1-4754f670d3a9
status: test
description: Detects connections to the host used in a big repository compromise discovered in August 2022
references:
- https://twitter.com/stephenlacy/status/1554697077430505473
date: 2022/08/03
author: Florian Roth
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname: 'ovz1.j19544519.pr46m.vps.myjino.ru'
condition: selection
falsepositives:
- Users looking up that domain after reading the report (unlikely)
level: high
rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml
+2 -2
View File
@@ -4,8 +4,8 @@ status: experimental
description: Detects an executable that isn't dropbox but communicates with the Dropbox API
author: Florian Roth
references:
- https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
- https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
- https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
- https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
date: 2022/04/20
logsource:
category: network_connection