security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
75ffa5ec4eb2fd9495741f86a653d50ffeedcd49
sigma-rules/rules/macos/command_and_control_potential_etherhiding_c2.toml
T
Colson Wilhoit 43d3f3b467 [New] Endpoint Rule Conversion PR (#5658) 
* update

* [New] Endpoint Rule Conversion PR

* fix: replace invalid rule_ids with valid UUIDs

* fix: remove malformed TOML in docker_outbound_connection rule

* fix: rename Security Software Discovery rule to avoid name collision

* fix: remove rule using unsupported 'as event' alias syntax

* fix: add timestamp_override, investigation guides, and fix MITRE mapping

- Added timestamp_override = 'event.ingested' to 15 non-sequence EQL rules
- Added '## Triage and analysis' investigation guides to 19 high-severity rules
- Fixed T1176 technique name from 'Browser Extensions' to 'Software Extensions'

* Enhance investigation guides for 19 high-severity macOS SIEM rules

Enhanced investigation guides to align with existing SIEM rule format:
- Added detailed context paragraphs explaining the threat and detection logic
- Expanded investigation steps to 6-7 items with specific field references
- Enhanced false positive analysis with 4-5 items and exclusion guidance
- Added comprehensive response and remediation steps (6-7 items)

Rules enhanced:
- Defense Evasion: dylib_injection, gatekeeper_override, tcc_access
- Persistence: shell_profile, hidden_plist, chromium_extension, startup_item,
  pkg_install_script, launch_agent_daemon
- Execution: unusual_library_python
- Lateral Movement: jamf_endpoint
- Command and Control: google_calendar_c2, oast_domain, etherhiding,
  curl_from_app, curl_google_script, unsigned_binary
- Collection: pbpaste, sensitive_file_compression

* Fix investigation guide tests: add Resources tag and fix OAST title

- Added 'Resources: Investigation Guide' tag to all 19 rules with investigation guides
- Fixed OAST rule investigation guide title to match rule name exactly:
  'Network Connection to OAST Domain via Script Interpreter'

* Remove duplicate detection_rules 2 folder from PR

* Address Samir's PR feedback: consolidate rules, convert to ES|QL, fix Gatekeeper rule

Changes:
- Convert AWS S3 connection rule to ES|QL with aggregation
- Consolidate Python + Node non-standard port rules into single script interpreter rule
- Fix Gatekeeper rule to use correct gatekeeper_override event
- Simplify Gatekeeper rule to single event per Samir's suggestion
- Convert TCC access rule to ES|QL with COUNT_DISTINCT
- Tune cross-platform security software grep rule (add egrep, pgrep, more tools)
- Add node to system/network config check rule

Deleted duplicates (covered by existing cross-platform rules):
- Docker suspicious TLD rule (covered by unusual_connection_to_suspicious_top_level_domain)
- Security software via grep (tuned cross-platform version instead)
- VM fingerprinting via grep (duplicate of cross-platform version)

* fix: ESQL formatting and wildcard versioning patterns

- Add Esql. prefix to computed fields in ESQL rules
- Add KEEP statements to ESQL rules for proper field visibility
- Add perl* wildcard to OAST domain rule for version consistency
- Add ruby* wildcard to Etherhiding C2 rule for version consistency
- Fix regex pattern in TCC rule (perl.*/ruby.* for versioning)

* fix: remove duplicate Script Interpreter rule

Delete command_and_control_suspicious_outbound_python_network.toml which
is an exact duplicate of command_and_control_script_interpreter_connection_to_non_standard_port.toml
(same rule_id: aa1e007a-2997-4247-b048-dd9344742560)

* fix: add timestamp_override to Pbpaste and Gatekeeper rules

- collection_pbpaste_execution_via_unusual_parent.toml
- defense_evasion_gatekeeper_override_and_execution.toml

EQL/KQL rules require timestamp_override: event.ingested

* fix: remove perl from Script Interpreter rule

Perl is covered by the broader perl_outbound_network_connection rule which
catches perl → any external IP (not just non-standard ports). Perl network
connections on macOS are rare and inherently suspicious regardless of port.

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/defense_evasion_suspicious_tcc_access_granted.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_manual_chromium_extension_loading.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_startup_item_plist_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix ESQL syntax error in AWS S3 connection rule

Remove trailing comma before BY clause in STATS command that caused a parsing_exception.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-06 10:53:44 -06:00

125 lines
6.5 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2026/01/30"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/02/03"
[rule]
author = ["Elastic"]
description = """
Detects when a scripting interpreter makes an outbound network connection to an Ethereum blockchain endpoint
for command and control purposes. Adversaries may leverage Ethereum blockchain infrastructure as a covert C2
channel to receive commands and exfiltrate data, as observed in campaigns like SleepyDuck malware.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-endpoint.events.file-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Etherhiding C2 via Blockchain Connection"
references = [
"https://secureannex.com/blog/sleepyduck-malware/"
]
risk_score = 73
rule_id = "bba8c7d1-172b-435d-9034-02ed9289c628"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Resources: Investigation Guide"
]
type = "eql"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Potential Etherhiding C2 via Blockchain Connection
Etherhiding is an advanced command and control technique where threat actors store malicious configurations, commands, or payload URLs within blockchain transactions on platforms like Ethereum or Binance Smart Chain. This approach provides a highly resilient and censorship-resistant C2 infrastructure since blockchain data cannot be taken down or modified. This detection rule identifies script interpreters or suspicious processes connecting to blockchain API endpoints that may be retrieving attacker-controlled data from the blockchain.
### Possible investigation steps
- Review the process.name and process.executable fields to identify which application is making blockchain API requests and assess whether cryptocurrency or Web3 functionality is expected on this system.
- Examine the destination.domain and dns.question.name fields to identify the specific blockchain API endpoint being queried, such as Infura, Alchemy, or public RPC endpoints.
- Analyze the process.command_line and process.args to understand what code or script is executing and look for hardcoded contract addresses or wallet addresses that may be querying blockchain data.
- Investigate the process.parent.executable and parent process chain to determine how the blockchain-querying process was launched and identify the initial execution vector.
- Review network connection payloads if available to identify the specific blockchain queries being made and extract any contract addresses or transaction hashes being queried.
- Search threat intelligence sources for the identified contract addresses or wallet addresses to determine if they are associated with known malicious campaigns.
- Correlate with file modification events on the same host to identify if the blockchain data is being written to disk or used to configure malware.
### False positive analysis
- Cryptocurrency wallet applications and browser extensions legitimately access blockchain APIs to display balances and transaction history. Verify if the user has approved cryptocurrency applications.
- Web3 developers and blockchain application developers may use blockchain APIs during development and testing. Confirm with development teams if such activities are expected.
- Decentralized application (dApp) browsers and related tools access blockchain data as part of normal operations. Verify if these tools are sanctioned for business use.
- NFT marketplaces and related applications may query blockchain data for asset verification. Confirm if such applications are approved.
### Response and remediation
- Immediately isolate the affected macOS system from the network to prevent further C2 communication or payload retrieval.
- Terminate the suspicious process making blockchain API connections and prevent it from restarting.
- Extract and analyze the blockchain contract addresses or transaction data being queried to understand the malicious payload or configuration.
- Conduct a thorough malware analysis of the responsible application to identify its full capabilities and persistence mechanisms.
- Block the identified blockchain API endpoints at the network perimeter if they are not required for legitimate business purposes.
- Search for similar blockchain API connections across other endpoints to identify potential lateral movement or additional compromised systems.
- Escalate to the security operations team for comprehensive incident response if the activity confirms an active Etherhiding-based attack.
"""
query = '''
sequence by process.entity_id with maxspan=15s
[network where host.os.type == "macos" and event.type == "start" and
(process.name in ("bash", "sh", "zsh", "osascript", "node", "Cursor") or
process.name like ("python*", "ruby*", "perl*", "tclsh*")) and
destination.domain like ("eth-mainnet*", "ethereum*", "eth.*.com")]
[file where host.os.type == "macos" and event.action == "modification" and file.extension in ("js", "py", "sh")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Web Service"
id = "T1102"
reference = "https://attack.mitre.org/techniques/T1102/"
[[rule.threat.technique.subtechnique]]
name = "Bidirectional Communication"
id = "T1102.002"
reference = "https://attack.mitre.org/techniques/T1102/002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
name = "Command and Scripting Interpreter"
id = "T1059"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
name = "Unix Shell"
id = "T1059.004"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique.subtechnique]]
name = "Python"
id = "T1059.006"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[[rule.threat.technique.subtechnique]]
name = "JavaScript"
id = "T1059.007"
reference = "https://attack.mitre.org/techniques/T1059/007/"
Reference in New Issue View Git Blame Copy Permalink