Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
00071f2
commit 7460867
Showing
279 changed files
with
3,012 additions
and
1,001 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
58 changes: 58 additions & 0 deletions
58
behavior/rules/command_and_control_ingress_tool_transfer_via_curl.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
[rule] | ||
description = """ | ||
Identifies downloads of remote content using Windows CURL executable. This tactic may be indicative of malicious | ||
activity where malware is downloading second stage payloads using built-in Windows programs. | ||
""" | ||
id = "336ada1c-69f8-46e8-bdd2-790c85429696" | ||
license = "Elastic License v2" | ||
name = "Ingress Tool Transfer via CURL" | ||
os_list = ["windows"] | ||
version = "1.0.3" | ||
|
||
query = ''' | ||
process where event.action == "start" and | ||
/* renamed curl or curl running from normal users writable fodlers are very noisy */ | ||
process.executable : ("?:\\Windows\\System32\\curl.exe", "?:\\Windows\\SysWOW64\\curl.exe") and | ||
process.args : ("-o", "--output") and | ||
( | ||
(process.parent.name : ("powershell.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe") and | ||
process.parent.args_count >= 2) or | ||
(process.parent.name : "cmd.exe" and process.parent.command_line : "*curl*") or | ||
descendant of [process where process.name : ("winword.exe", "excel.exe", "powerpnt.exe")] or | ||
process.parent.executable : ("?:\\Users\\Public\\*", "?:\\Users\\*\\AppData\\*", "?:\\ProgramData\\*") | ||
) and | ||
/* lot of legit curl execution via custom bat scripts or interactively via cmd or powershell */ | ||
not (process.parent.name : "cmd.exe" and process.parent.args : "*.bat*") and | ||
not (process.parent.name : ("cmd.exe", "powershell.exe") and process.parent.args_count == 1) and | ||
/* avoid breaking privileged install */ | ||
not user.id : "S-1-5-18" | ||
''' | ||
|
||
optional_actions = [] | ||
[[actions]] | ||
action = "kill_process" | ||
field = "process.entity_id" | ||
state = 0 | ||
|
||
[[threat]] | ||
framework = "MITRE ATT&CK" | ||
[[threat.technique]] | ||
id = "T1105" | ||
name = "Ingress Tool Transfer" | ||
reference = "https://attack.mitre.org/techniques/T1105/" | ||
|
||
|
||
[threat.tactic] | ||
id = "TA0011" | ||
name = "Command and Control" | ||
reference = "https://attack.mitre.org/tactics/TA0011/" | ||
|
||
[internal] | ||
min_endpoint_version = "7.15.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
40 changes: 40 additions & 0 deletions
40
behavior/rules/command_and_control_potential_wizardupdate_malware_infection.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
[rule] | ||
description = """ | ||
Identifies the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate | ||
macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of | ||
multiple infections on a device. | ||
""" | ||
id = "eb78fa0f-5e8a-4c15-a099-e904c4a226e6" | ||
license = "Elastic License v2" | ||
name = "Potential WizardUpdate Malware Infection" | ||
os_list = ["macos"] | ||
reference = [ | ||
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", | ||
"https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", | ||
] | ||
version = "1.0.2" | ||
|
||
query = ''' | ||
process where event.action == "exec" and | ||
( | ||
(process.name : "sh" and process.command_line : "*=$(curl *eval*$*") or | ||
(process.name : "curl" and process.command_line : "*_intermediate_agent_*machine_id*") | ||
) | ||
''' | ||
|
||
optional_actions = [] | ||
[[actions]] | ||
action = "kill_process" | ||
field = "process.entity_id" | ||
state = 0 | ||
|
||
[[threat]] | ||
framework = "MITRE ATT&CK" | ||
|
||
[threat.tactic] | ||
id = "TA0011" | ||
name = "Command and Control" | ||
reference = "https://attack.mitre.org/tactics/TA0011/" | ||
|
||
[internal] | ||
min_endpoint_version = "7.15.0" |
43 changes: 43 additions & 0 deletions
43
behavior/rules/command_and_control_potential_xcsset_malware_infection.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
[rule] | ||
description = """ | ||
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode | ||
projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, | ||
accounts, and other vital data stolen. | ||
""" | ||
id = "875b71bb-ef09-46b2-9c12-a95112461e85" | ||
license = "Elastic License v2" | ||
name = "Potential XCSSET Malware Infection" | ||
os_list = ["macos"] | ||
reference = ["https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset"] | ||
version = "1.0.2" | ||
|
||
query = ''' | ||
process where event.action == "exec" and | ||
( | ||
(process.name : "curl" and process.parent.name : "bash" and | ||
process.args : ("https://*/sys/log.php", "https://*/sys/prepod.php", "https://*/sys/bin/Pods")) or | ||
(process.name : "osacompile" and process.args : "/Users/*/Library/Group Containers/*" and process.parent.name : "bash") or | ||
(process.name : "plutil" and process.args : "LSUIElement" and process.args : "/Users/*/Library/Group Containers/*" and process.parent.name : "bash") or | ||
(process.name : "zip" and process.args : "-r" and process.args : "/Users/*/Library/Group Containers/*") | ||
) | ||
''' | ||
|
||
optional_actions = [] | ||
[[actions]] | ||
action = "kill_process" | ||
field = "process.entity_id" | ||
state = 0 | ||
|
||
[[threat]] | ||
framework = "MITRE ATT&CK" | ||
|
||
[threat.tactic] | ||
id = "TA0011" | ||
name = "Command and Control" | ||
reference = "https://attack.mitre.org/tactics/TA0011/" | ||
|
||
[internal] | ||
min_endpoint_version = "7.15.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.