From 2b5ba9e4f463aa9de125217da1df47de002681b3 Mon Sep 17 00:00:00 2001 From: Technici4n <13494793+Technici4n@users.noreply.github.com> Date: Thu, 1 Jun 2023 11:21:15 +0200 Subject: [PATCH 1/6] fix: change FP template to use `id` instead of `uuid` (#4278) --- .github/ISSUE_TEMPLATE/false_positive_report.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/false_positive_report.yml b/.github/ISSUE_TEMPLATE/false_positive_report.yml index 9c79fde77..28baa4439 100644 --- a/.github/ISSUE_TEMPLATE/false_positive_report.yml +++ b/.github/ISSUE_TEMPLATE/false_positive_report.yml @@ -7,7 +7,7 @@ body: label: Rule UUID placeholder: "f3be1b1d-eb3c-4ab1-b5e5-81e330fa2cd0" description: | - You can copy the rule id from the `uuid` field in the rule. + You can copy the rule id from the `id` field in the rule. validations: required: true From 93e00f496f0b4dfc17ef877d757843251de5df66 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 1 Jun 2023 21:42:04 +0200 Subject: [PATCH 2/6] feat: add emerging threats rule related to MOVEit Transfer exploitation (#4281) --- .../MOVEit-Transfer-Unknown-Exploit/README.md | 15 ++++++++ ...vent_win_exploit_other_moveit_transfer.yml | 38 +++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md create mode 100644 rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml diff --git a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md new file mode 100644 index 000000000..d66c74606 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md @@ -0,0 +1,15 @@ +# MOVEit Transfer Critical Vulnerability (May 2023) + +## Summary + +Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. + +You can find more information on the threat in the following articles: + +- [New MOVEit Transfer zero-day mass-exploited in data theft attacks](https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/) +- [MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023) +- [Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability](https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/) + +## Rules + +- [Potential MOVEit Transfer Exploitation](./file_event_win_exploit_other_moveit_transfer.yml) diff --git a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml new file mode 100644 index 000000000..19406ac77 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml @@ -0,0 +1,38 @@ +title: Potential MOVEit Transfer Exploitation +id: c3b2a774-3152-4989-83c1-7afc48fd1599 +status: experimental +description: | + Detects the creation of files with unexpected extensions in the web root folder of the MOVEit Transfer service. + Reports mentioned uncommon file types in the "wwwroot" folder as a sign of potential compromise. Attackers used that folder as a staging directory for the exfiltration. +references: + - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ + - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 + - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ + - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/ +author: Florian Roth (Nextron Systems) +date: 2023/06/01 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: file_event + product: windows +detection: + selection_generic: + TargetFilename|contains: '\MOVEit Transfer\wwwroot\' + TargetFilename|endswith: + - '.7z' + - '.bat' + - '.dll' + - '.exe' + - '.ps1' + - '.rar' + - '.vbe' + - '.vbs' + - '.zip' + selection_known_ioc: + TargetFilename|endswith: '\MOVEit Transfer\wwwroot\human2.aspx' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high From 383dce95e52a99fb05b5b5b819c87f87dd9fc24a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 1 Jun 2023 23:14:50 +0200 Subject: [PATCH 3/6] feat: more updates to moveit exploitation ioc rule (#4283) --- .../MOVEit-Transfer-Unknown-Exploit/README.md | 2 ++ ...vent_win_exploit_other_moveit_transfer.yml | 26 ++++++++++++++++--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md index d66c74606..1440b16a8 100644 --- a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md +++ b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md @@ -9,6 +9,8 @@ You can find more information on the threat in the following articles: - [New MOVEit Transfer zero-day mass-exploited in data theft attacks](https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/) - [MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023) - [Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability](https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/) +- [CRITICAL VULNERABILITY IN PROGRESS MOVEIT TRANSFER: TECHNICAL ANALYSIS AND RECOMMENDATIONS - TrustedSec](https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/) +- [MOVEit Transfer Critical Vulnerability Rapid Response - Huntress](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response) ## Rules diff --git a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml index 19406ac77..bc3a079fe 100644 --- a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml +++ b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml @@ -9,7 +9,7 @@ references: - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/ -author: Florian Roth (Nextron Systems) +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023/06/01 tags: - attack.initial_access @@ -19,7 +19,9 @@ logsource: product: windows detection: selection_generic: - TargetFilename|contains: '\MOVEit Transfer\wwwroot\' + TargetFilename|contains: + - '\MOVEit Transfer\wwwroot\' + - '\MOVEitTransfer\wwwroot\' TargetFilename|endswith: - '.7z' - '.bat' @@ -31,7 +33,25 @@ detection: - '.vbs' - '.zip' selection_known_ioc: - TargetFilename|endswith: '\MOVEit Transfer\wwwroot\human2.aspx' + TargetFilename|endswith: + - '\MOVEit Transfer\wwwroot\human2.aspx' + - '\MOVEitTransfer\wwwroot\human2.aspx' + selection_compiled_asp: + CreationUtcTime|startswith: + - '2023-05-26 ' + - '2023-05-27 ' + - '2023-05-28 ' + - '2023-05-29 ' + - '2023-05-30 ' + - '2023-05-31 ' + - '2023-06-01 ' + - '2023-06-02 ' + - '2023-06-03 ' + TargetFilename|contains|all: + - '\Windows\Microsoft.net\Framework64\v' + - '\Temporary ASP.NET Files\' + - 'App_Web_' + TargetFilename|endswith: '.dll' condition: 1 of selection_* falsepositives: - Unlikely From 9b2c23c4bf0187420bfdc55a087a0df1c8ec64ac Mon Sep 17 00:00:00 2001 From: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com> Date: Fri, 2 Jun 2023 11:58:42 +0300 Subject: [PATCH 4/6] feat: add new rule for "SmadHook.dll" potential sideloading (#4282) --- .../image_load_side_load_smadhook.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/image_load/image_load_side_load_smadhook.yml diff --git a/rules/windows/image_load/image_load_side_load_smadhook.yml b/rules/windows/image_load/image_load_side_load_smadhook.yml new file mode 100644 index 000000000..d135bed8a --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_smadhook.yml @@ -0,0 +1,35 @@ +title: Potential SmadHook.DLL Sideloading +id: 24b6cf51-6122-469e-861a-22974e9c1e5b +status: experimental +description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus +references: + - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/ + - https://www.qurium.org/alerts/targeted-malware-against-crph/ +author: X__Junior (Nextron Systems) +date: 2023/06/01 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\SmadHook32c.dll' + - '\SmadHook64c.dll' + filter_main_legit_path: + Image: + - 'C:\Program Files (x86)\SMADAV\SmadavProtect32.exe' + - 'C:\Program Files (x86)\SMADAV\SmadavProtect64.exe' + - 'C:\Program Files\SMADAV\SmadavProtect32.exe' + - 'C:\Program Files\SMADAV\SmadavProtect64.exe' + ImageLoaded|startswith: + - 'C:\Program Files (x86)\SMADAV\' + - 'C:\Program Files\SMADAV\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high From ad73edce42153b4ddb9057f471360b4deaa206cb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Jun 2023 11:39:41 +0200 Subject: [PATCH 5/6] feat: new emerging threats rules added related to "Operation Triangulation" (#4284) --- ...t_equation_group_triangulation_c2_coms.yml | 38 +++++++++++++++++++ ...t_equation_group_triangulation_c2_coms.yml | 38 +++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml create mode 100644 rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml diff --git a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml new file mode 100644 index 000000000..d4b33ec77 --- /dev/null +++ b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml @@ -0,0 +1,38 @@ +title: Potential Operation Triangulation C2 Beaconing Activity - DNS +id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 +related: + - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2 + type: similar +status: experimental +description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB +references: + - https://securelist.com/operation-triangulation/109842/ + - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp +author: Florian Roth (Nextron Systems) +date: 2023/06/01 +tags: + - attack.command_and_control +logsource: + category: dns +detection: + selection: + query: + - 'addatamarket.net' + - 'ans7tv.net' + - 'anstv.net' + - 'backuprabbit.com' + - 'businessvideonews.com' + - 'cloudsponcer.com' + - 'datamarketplace.net' + - 'growthtransport.com' + - 'mobilegamerstats.com' + - 'snoweeanalytics.com' + - 'tagclick-cdn.com' + - 'topographyupdates.com' + - 'unlimitedteacup.com' + - 'virtuallaughing.com' + - 'web-trackers.com' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml new file mode 100644 index 000000000..e5cb18a87 --- /dev/null +++ b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml @@ -0,0 +1,38 @@ +title: Potential Operation Triangulation C2 Beaconing Activity - Proxy +id: aa03c712-75c6-438b-8d42-de88f2427e09 +related: + - id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 # DNS C2 + type: similar +status: experimental +description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB +references: + - https://securelist.com/operation-triangulation/109842/ + - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp +author: Florian Roth (Nextron Systems) +date: 2023/06/01 +tags: + - attack.command_and_control +logsource: + category: proxy +detection: + selection: + cs-host|contains: + - 'addatamarket.net' + - 'ans7tv.net' + - 'anstv.net' + - 'backuprabbit.com' + - 'businessvideonews.com' + - 'cloudsponcer.com' + - 'datamarketplace.net' + - 'growthtransport.com' + - 'mobilegamerstats.com' + - 'snoweeanalytics.com' + - 'tagclick-cdn.com' + - 'topographyupdates.com' + - 'unlimitedteacup.com' + - 'virtuallaughing.com' + - 'web-trackers.com' + condition: selection +falsepositives: + - Unknown +level: high From 04cf7e9ea3b2ece97c9e8e2bddd46507b4a804d9 Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Fri, 2 Jun 2023 15:49:43 +0200 Subject: [PATCH 6/6] feat: new linux rules related to GobRAT malware (#4272) --- ...p_shell_script_under_profile_directory.yml | 27 ++++++++++++++ ...vent_lnx_wget_download_file_in_tmp_dir.yml | 27 ++++++++++++++ .../proc_creation_lnx_crontab_enumeration.yml | 25 +++++++++++++ ...oc_creation_lnx_grep_os_arch_discovery.yml | 33 +++++++++++++++++ ..._malware_gobrat_grep_payload_discovery.yml | 28 +++++++++++++++ ...proc_creation_lnx_nohup_susp_execution.yml | 27 ++++++++++++++ ...creation_lnx_susp_execution_tmp_folder.yml | 21 +++++++++++ ...l_child_process_from_parent_tmp_folder.yml | 31 ++++++++++++++++ ...p_shell_script_exec_from_susp_location.yml | 35 +++++++++++++++++++ ...lnx_wget_download_suspicious_directory.yml | 29 +++++++++++++++ 10 files changed, 283 insertions(+) create mode 100644 rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml create mode 100644 rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml diff --git a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml new file mode 100644 index 000000000..533c0c4ed --- /dev/null +++ b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml @@ -0,0 +1,27 @@ +title: Potentially Suspicious Shell Script Creation in Profile Folder +id: 13f08f54-e705-4498-91fd-cce9d9cee9f1 +status: experimental +description: Detects the creation of shell scripts under the "profile.d" path. +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.persistence +logsource: + product: linux + category: file_event +detection: + selection: + TargetFilename|contains: '/etc/profile.d/' + TargetFilename|endswith: + - '.csh' + - '.sh' + condition: selection +falsepositives: + - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events. + - Regular file creation during system update or software installation by the package manager +level: low # Can be increased to a higher level after some tuning diff --git a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml new file mode 100644 index 000000000..facf55864 --- /dev/null +++ b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml @@ -0,0 +1,27 @@ +title: Wget Creating Files in Tmp Directory +id: 35a05c60-9012-49b6-a11f-6bab741c9f74 +status: experimental +description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + product: linux + category: file_event +detection: + selection: + Image|endswith: '/wget' + TargetFilename|startswith: + - '/tmp/' + - '/var/tmp/' + condition: selection +falsepositives: + - Legitimate downloads of files in the tmp folder. +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml new file mode 100644 index 000000000..15f24392a --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml @@ -0,0 +1,25 @@ +title: Crontab Enumeration +id: 403ed92c-b7ec-4edd-9947-5b535ee12d46 +status: experimental +description: Detects usage of crontab to list the tasks of the user +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.discovery + - attack.t1007 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/crontab' + CommandLine|contains: ' -l' + condition: selection +falsepositives: + - Legitimate use of crontab +level: low diff --git a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml new file mode 100644 index 000000000..73eaf0076 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml @@ -0,0 +1,33 @@ +title: OS Architecture Discovery Via Grep +id: d27ab432-2199-483f-a297-03633c05bae6 +status: experimental +description: | + Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.discovery + - attack.t1082 +logsource: + category: process_creation + product: linux +detection: + selection_process: + Image|endswith: '/grep' + selection_architecture: + CommandLine|endswith: + - 'aarch64' + - 'arm' + - 'i386' + - 'i686' + - 'mips' + - 'x86_64' + condition: all of selection_* +falsepositives: + - Unknown +level: low diff --git a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml new file mode 100644 index 000000000..5b618f296 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml @@ -0,0 +1,28 @@ +title: Potential GobRAT File Discovery Via Grep +id: e34cfa0c-0a50-4210-9cb3-5632d08eb041 +status: experimental +description: Detects the use of grep to discover specific files created by the GobRAT malware +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.discovery + - attack.t1082 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/grep' + CommandLine|contains: + - 'apached' + - 'frpc' + - 'sshd.sh' + - 'zone.arm' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml new file mode 100644 index 000000000..5359bdca9 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml @@ -0,0 +1,27 @@ +title: Suspicious Nohup Execution +id: 457df417-8b9d-4912-85f3-9dbda39c3645 +related: + - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2 + type: derived +status: experimental +description: Detects execution of binaries located in potentially suspicious locations via "nohup" +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.execution +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/nohup' + CommandLine|contains: '/tmp/' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml new file mode 100644 index 000000000..6e1f53c00 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml @@ -0,0 +1,21 @@ +title: Potentially Suspicious Execution From Tmp Folder +id: 312b42b1-bded-4441-8b58-163a3af58775 +status: experimental +description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|startswith: '/tmp/' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml new file mode 100644 index 000000000..64236d73d --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml @@ -0,0 +1,31 @@ +title: Shell Execution Of Process Located In Tmp Directory +id: 2fade0b6-7423-4835-9d4f-335b39b83867 +status: experimental +description: Detects execution of shells from a parent process located in a temporary (/tmp) directory +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.execution +logsource: + product: linux + category: process_creation +detection: + selection: + ParentImage|startswith: '/tmp/' + Image|endswith: + - '/bash' + - '/csh' + - '/dash' + - '/fish' + - '/ksh' + - '/sh' + - '/zsh' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml new file mode 100644 index 000000000..71eedc0df --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml @@ -0,0 +1,35 @@ +title: Execution Of Script Located In Potentially Suspicious Directory +id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7 +status: experimental +description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.execution +logsource: + product: linux + category: process_creation +detection: + selection_img: + Image|endswith: + - '/bash' + - '/csh' + - '/dash' + - '/fish' + - '/ksh' + - '/sh' + - '/zsh' + selection_flag: + CommandLine|contains: ' -c ' + selection_paths: + # Note: Add more suspicious paths + CommandLine|contains: '/tmp/' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml new file mode 100644 index 000000000..87af0ce34 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml @@ -0,0 +1,29 @@ +title: Download File To Potentially Suspicious Directory Via Wget +id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4 +status: experimental +description: Detects the use of wget to download content to a suspicious directory +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/wget' + selection_output: + - CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection + - CommandLine|contains: '--output-document' + selection_path: + CommandLine|contains: '/tmp/' + condition: all of selection_* +falsepositives: + - Unknown +level: medium