From 72dbfffc0f18e63910c2b0f5693a4d8e8ee90bde Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 3 Aug 2022 08:34:28 +0200 Subject: [PATCH] rule: myjino github repo compromise --- .../net_connection_github_myjino_ru.yml | 18 ++++++++++++++++++ .../network/dns/net_dns_github_myjino_ru.yml | 18 ++++++++++++++++++ .../net_connection_win_github_myjino_ru.yml | 19 +++++++++++++++++++ .../net_connection_win_susp_dropbox_api.yml | 4 ++-- 4 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 rules/linux/network_connection/net_connection_github_myjino_ru.yml create mode 100644 rules/network/dns/net_dns_github_myjino_ru.yml create mode 100644 rules/windows/network_connection/net_connection_win_github_myjino_ru.yml diff --git a/rules/linux/network_connection/net_connection_github_myjino_ru.yml b/rules/linux/network_connection/net_connection_github_myjino_ru.yml new file mode 100644 index 000000000..32669786f --- /dev/null +++ b/rules/linux/network_connection/net_connection_github_myjino_ru.yml @@ -0,0 +1,18 @@ +title: Github Repo Compromise Domain MyJino RU +id: 242e0911-294a-44ea-a54e-7eea97aa2622 +status: test +description: Detects connections to the host used in a big repository compromise discovered in August 2022 +references: + - https://twitter.com/stephenlacy/status/1554697077430505473 +date: 2022/08/03 +author: Florian Roth +logsource: + product: linux + category: network_connection +detection: + selection: + DestinationHostname: 'ovz1.j19544519.pr46m.vps.myjino.ru' + condition: selection +falsepositives: + - Users looking up that domain after reading the report (unlikely) +level: high diff --git a/rules/network/dns/net_dns_github_myjino_ru.yml b/rules/network/dns/net_dns_github_myjino_ru.yml new file mode 100644 index 000000000..3c7d2d26f --- /dev/null +++ b/rules/network/dns/net_dns_github_myjino_ru.yml @@ -0,0 +1,18 @@ +title: DNS Lookup Github Repo Compromise Domain MyJino RU +id: 6b0dd2e4-13ff-4eff-b79b-4444fad43644 +status: test +description: Detects connections to the host used in a big repository compromise discovered in August 2022 +references: + - https://twitter.com/stephenlacy/status/1554697077430505473 +date: 2022/08/03 +author: Florian Roth +logsource: + category: dns +detection: + selection: + query: 'ovz1.j19544519.pr46m.vps.myjino.ru' + condition: selection +falsepositives: + - Users looking up that domain after reading the report (unlikely) + - Web proxy or other security device DNS lookups of the domain +level: high diff --git a/rules/windows/network_connection/net_connection_win_github_myjino_ru.yml b/rules/windows/network_connection/net_connection_win_github_myjino_ru.yml new file mode 100644 index 000000000..ece890aaf --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_github_myjino_ru.yml @@ -0,0 +1,19 @@ +title: Github Repo Compromise Domain MyJino RU +id: 3a9f4c77-8e2e-45eb-abc1-4754f670d3a9 +status: test +description: Detects connections to the host used in a big repository compromise discovered in August 2022 +references: + - https://twitter.com/stephenlacy/status/1554697077430505473 +date: 2022/08/03 +author: Florian Roth +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + DestinationHostname: 'ovz1.j19544519.pr46m.vps.myjino.ru' + condition: selection +falsepositives: + - Users looking up that domain after reading the report (unlikely) +level: high diff --git a/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml b/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml index 4442ccbe7..a683212c0 100644 --- a/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml +++ b/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml @@ -4,8 +4,8 @@ status: experimental description: Detects an executable that isn't dropbox but communicates with the Dropbox API author: Florian Roth references: - - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb - - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east + - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb + - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east date: 2022/04/20 logsource: category: network_connection