[Rule Tuning] Mythic C2 AzureBlob Profile Endpoints (#5663)
Fixes #5662
This commit is contained in:
Terrance DeJesus
+8
-3
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/03/26"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/08/26"
|
||||
updated_date = "2026/02/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -50,6 +50,9 @@ In macOS environments, network connections to web services are routine for data
|
||||
- Monitor the network for any further attempts to connect to the flagged domains and ensure that alerts are configured to notify security teams of any recurrence.
|
||||
- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if the threat is part of a larger attack campaign.
|
||||
"""
|
||||
references = [
|
||||
"https://specterops.io/blog/2026/01/30/weaponizing-whitelists-an-azure-blob-storage-mythic-c2-profile/"
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "b07f0fba-0a78-11f0-8311-b66272739ecb"
|
||||
severity = "medium"
|
||||
@@ -163,9 +166,11 @@ destination.domain : (
|
||||
pastecode.dev or
|
||||
i.imgur.com or
|
||||
the.earth.li or
|
||||
*.trycloudflare.com
|
||||
*.trycloudflare.com or
|
||||
*.blob.core.windows.net or
|
||||
*.blob.storage.azure.net
|
||||
) and
|
||||
not (destination.domain : (*.sharepoint.com or *.azurewebsites.net or "onedrive.live.com" or *.b-cdn.net or api.onedrive.com or "drive.google.com" or *.blogspot.com) and process.code_signature.subject_name:(*Microsoft* or "Software Signing" or "Apple Mac OS Application Signing" or *VMware*) and process.code_signature.trusted:true) and
|
||||
not (destination.domain : (*.sharepoint.com or *.azurewebsites.net or "onedrive.live.com" or *.b-cdn.net or api.onedrive.com or "drive.google.com" or *.blogspot.com or *.blob.core.windows.net or *.blob.storage.azure.net) and process.code_signature.subject_name:(*Microsoft* or "Software Signing" or "Apple Mac OS Application Signing" or *VMware*) and process.code_signature.trusted:true) and
|
||||
not (process.code_signature.subject_name:(*Mozilla* or *Google* or *Brave* or *Opera* or "Software Signing" or *Zscaler* or *Browser*) and process.code_signature.trusted:true) and
|
||||
not (destination.domain :("discord.com" or cdn.discordapp.com or "content.dropboxapi.com" or "dl.dropboxusercontent.com") and process.code_signature.subject_name :(*Discord* or *Dropbox*) and process.code_signature.trusted:true)
|
||||
'''
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/11/04"
|
||||
integration = ["endpoint", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/12/17"
|
||||
updated_date = "2026/02/02"
|
||||
|
||||
[transform]
|
||||
[[transform.investigate]]
|
||||
@@ -128,8 +128,9 @@ This rule looks for processes outside known legitimate program locations communi
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
|
||||
"""
|
||||
references = [
|
||||
"https://www.elastic.co/security-labs/operation-bleeding-bear",
|
||||
"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"
|
||||
"https://www.elastic.co/security-labs/operation-bleeding-bear",
|
||||
"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry",
|
||||
"https://specterops.io/blog/2026/01/30/weaponizing-whitelists-an-azure-blob-storage-mythic-c2-profile/"
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32"
|
||||
@@ -233,8 +234,10 @@ network where host.os.type == "windows" and
|
||||
"www.googleapis.com",
|
||||
"googleapis.com",
|
||||
"global.rel.tunnels.api.visualstudio.com",
|
||||
"*.devtunnels.ms",
|
||||
"api.github.com") and
|
||||
"*.devtunnels.ms",
|
||||
"api.github.com",
|
||||
"*.blob.core.windows.net",
|
||||
"*.blob.storage.azure.net") and
|
||||
|
||||
/* Insert noisy false positives here */
|
||||
not (
|
||||
@@ -288,7 +291,8 @@ network where host.os.type == "windows" and
|
||||
) or
|
||||
|
||||
(process.code_signature.subject_name : "Microsoft *" and process.code_signature.trusted == true and
|
||||
dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com")
|
||||
dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com",
|
||||
"*.blob.core.windows.net", "*.blob.storage.azure.net")
|
||||
) or
|
||||
|
||||
(process.code_signature.subject_name : ("Python Software Foundation", "Anaconda, Inc.") and
|
||||
|
||||
Reference in New Issue
Block a user