From 86ca651ea6914fc3d5d21a4e28fc7b8c5edd57e2 Mon Sep 17 00:00:00 2001
From: signalblur <45216760+signalblur@users.noreply.github.com>
Date: Tue, 16 Apr 2024 08:36:41 -0400
Subject: [PATCH] Merge PR #4801 from @signalblur - Add Pnscan rule

new: Pnscan Binary Data Transmission Activity

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 ...creation_lnx_pnscan_binary_cli_pattern.yml | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml

diff --git a/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml b/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml
new file mode 100644
index 000000000..5424c0eb8
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml
@@ -0,0 +1,26 @@
+title: Pnscan Binary Data Transmission Activity
+id: 97de11cd-4b67-4abf-9a8b-1020e670aa9e
+status: experimental
+description: |
+    Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
+    This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
+author: David Burkett (@signalblur)
+date: 2024/04/16
+references:
+    - https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
+    - https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
+    - https://regex101.com/r/RugQYK/1
+    - https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
+tags:
+    - attack.discovery
+    - attack.t1046
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        CommandLine|re: -(W|R)\s?(\s|"|')([0-9a-fA-F]{2}\s?){2,20}(\s|"|')
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium