-
Notifications
You must be signed in to change notification settings - Fork 101
/
command_and_control_connection_to_webservice_by_an_unsigned_binary.toml
123 lines (113 loc) · 4.27 KB
/
command_and_control_connection_to_webservice_by_an_unsigned_binary.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
[rule]
description = """
Identifies DNS queries to common web services by an unsigned program. Adversaries may implement command and control
communications that use common web services in order to hide their activity.
"""
id = "2c3efa34-fecd-4b3b-bdb6-30d547f2a1a4"
license = "Elastic License v2"
name = "Connection to WebService by an Unsigned Binary"
os_list = ["windows"]
version = "1.0.8"
query = '''
sequence by process.entity_id with maxspan=1m
/* execution of an unsigned PE file followed by dns lookup to commonly abused trusted webservices */
[process where event.action == "start" and not user.id : "S-1-5-18" and
not process.code_signature.trusted == true and
(process.Ext.relative_file_creation_time <= 300 or process.Ext.relative_file_name_modify_time <= 300) and
process.executable : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*") and
not process.args : ("--type=utility", "--squirrel-firstrun", "--utility-sub-type=*") and
process.executable : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*") and
not (process.name : "Clash for Windows.exe" and process.args : "--utility-sub-type=network.mojom.NetworkService") and
not (process.name : "clash-win64.exe" and process.parent.args : "--app-user-model-id=com.*.clashwin") and
not process.hash.sha256 :
("1cef2a7e7fe2a60e7f1d603162e60969469488cae99d04d13c4450cb90934b0f",
"ec4d11bd8216b894cb02f4e9cc3974a87901e928b4cdd2cac6d6eb22b3fa25eb",
"5c3725fb6ef2e8044b6ffbaa3f62f1afa1f47dd69ab557b611af8d80362f99d3",
"cc73c1aecb17ad6ce7c74bd258704994e43dea732212326a5b205be65b3b4b61",
"e5f6f15243393cb03022a3f1d22e0175acbf54cc5386cf9820185cf43cc90342",
"83d17dc95a7eba329fb29899b43d4b89b1dc898774e31ba58de883ce4e44e833",
"f2e7ef9667f84a2b2f66e9116b06b6fbc3fd5af6695a50366e862692459b7a59",
"21b49f2824f1357684983cfacfc0d58a95a2b41cd7bbaff544d9de8e790be1b6",
"d71babf67e0e26991a34ea7d9cb78dc44dc0357bc20e4c15c61ba49cae99fcaa",
"074b780a2a22d3d8af78afdfa042083488447fd5e63e7fa6e9c6abb08227e81d",
"578b95a62ecf3e1a3ea77d8329e87ba72a1b3516d0e5adb8d3f3d1eb44a7941e",
"a9b47f62e98f2561cf382d3d59e1d1b502b4cae96ab3e420122c3b28cc5b7da6",
"14a4ae91ebf302026a8ba24f4548a82c683cfb5fa4494c76e39d6d3089cdbbc1")]
[dns where
dns.question.name :
(
"raw.githubusercontent.*",
"pastebin.*",
"paste.ee",
"ghostbin.com",
"drive.google.com",
"d.docs.live.net",
"api.dropboxapi.*",
"content.dropboxapi.*",
"dl.dropboxusercontent.*",
"api.onedrive.com",
"*.onedrive.org",
"onedrive.live.com",
"filebin.net",
"?.tcp.ngrok.io",
"ngrok.com",
"*.portmap.*",
"*serveo.net",
"*localtunnel.me",
"*pagekite.me",
"*localxpose.io",
"*notabug.org",
"rawcdn.githack.*",
"paste.nrecom.net",
"zerobin.net",
"controlc.com",
"requestbin.net",
"slack.com",
"api.slack.com",
"slack-redir.net",
"slack-files.com",
"cdn.discordapp.com",
"discordapp.com",
"discord.com",
"cdn.sql.gg",
"cdn.discordapp.com",
"www.uplooder.net",
"*.cdnmegafiles.com",
"transfer.sh",
"updates.peer2profit.com",
"api.telegram.org",
"bing.com",
"yahoo.com",
"meacz.gq",
"rwrd.org",
"*.publicvm.com",
"*.blogspot.com"
)
]
'''
[[actions]]
action = "kill_process"
field = "process.entity_id"
state = 1
[[optional_actions]]
action = "rollback"
[[threat]]
framework = "MITRE ATT&CK"
[[threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[[threat.technique.subtechnique]]
id = "T1071.004"
name = "DNS"
reference = "https://attack.mitre.org/techniques/T1071/004/"
[[threat.technique]]
id = "T1102"
name = "Web Service"
reference = "https://attack.mitre.org/techniques/T1102/"
[threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[internal]
min_endpoint_version = "8.4.0"