Skip to content

Instantly share code, notes, and snippets.

@traut

traut/new-rules-20250414-rulecheck.stix2.json Secret

Created April 14, 2025 12:38
Show Gist options
  • Save traut/9dd9168085e8a1f154698487bf2d80b4 to your computer and use it in GitHub Desktop.
Save traut/9dd9168085e8a1f154698487bf2d80b4 to your computer and use it in GitHub Desktop.
Download ZIP
STIX2 bundle with all new detection rules mentioned in Detections Digest #20250414 issue
Raw
new-rules-20250414-rulecheck.stix2.json
{
"type": "bundle",
"id": "bundle--77098ae6-09fb-4922-bd0c-41c0c3b26b99",
"objects": [
{
"created": "2025-04-14T12:31:06.929Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may attempt to conceal their activity involving PowerShell windows by setting the WindowStyle parameter to hidden. While legitimate administrative tasks may use hidden windows to perform maintenance tasks in the background, this technique can be used by threat actors to evade user suspicion and reduce the likelihood of detection. This use case detects PowerShell executions involving hidden window commands. PowerShell logging is recommended for detection; process creation logs will only detect this activity if the command is executed in a manner that creates a new process, such as powershell -c.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/powershell_hidden_window/powershell_hidden_window-splunk-edr.yml"
}
],
"id": "indicator--4bd67e4b-d9f5-485f-9563-5987604bbb94",
"indicator_types": [
"defense-evasion",
"execution"
],
"modified": "2025-04-14T12:31:06.929Z",
"name": "PowerShell Hidden Window",
"pattern": "`get_endpoint_data` `get_endpoint_data_edr` (\"-WindowStyle\" OR \"-w\") \"hidden\"\n | regex process=\"(?i)-w(indowStyle)?\\s+hidden\" | table _time, host, user, process,\n parent_process_name | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "anvilogic",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-11T15:36:11.000Z"
},
{
"contact_information": "https://github.com/anvilogic-forge/armory",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "anvilogic-forge",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-14T12:31:06.929Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may abuse browser remote debugging features to extract sensitive data, maintain access, or facilitate communication with C2 servers. This is typically done by launching the browser with specific remote debugging flags, allowing remote access to browser sessions and potentially bypassing traditional security controls. This use case detects instances where a browser is started in remote debugging mode.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/browser_started_with_remote_debugging-nix/browser_started_with_remote_debugging-nix-splunk-unix.yml"
}
],
"id": "indicator--6be869b9-f651-468f-9be2-7f41a7a352d4",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.929Z",
"name": "Browser Started with Remote Debugging - *nix",
"pattern": "`get_endpoint_data` `get_endpoint_data_unix` (TERM(Chrome) OR TERM(Chromium) OR TERM(Firefox) OR TERM(Edge)) (\"--remote-debugging-\" OR \"-start-debugger-\") | table _time, host, user, process, parent_process_name, process_path | bin span=1s | stats values(*) as * by _time, host",
"pattern_type": "splunk",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-03-27T17:42:14.000Z"
},
{
"created": "2025-04-14T12:31:06.929Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may attempt to conceal their activity involving PowerShell windows by setting the WindowStyle parameter to hidden. This rule detects PowerShell executions involving hidden window commands, potentially used to evade detection. PowerShell logging is recommended for detection.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/powershell_hidden_window/powershell_hidden_window-splunk-winevent.yml"
}
],
"id": "indicator--235006e1-cb36-43f6-a0b4-c19655855a02",
"indicator_types": [
"defense-evasion:hide artifacts:hidden window",
"execution:command and scripting interpreter",
"defense-evasion:hide artifacts"
],
"modified": "2025-04-14T12:31:06.929Z",
"name": "PowerShell Hidden Window",
"pattern": "`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR \"<EventID>4688<\" OR Type=Process) (\"-WindowStyle\" OR \"-w\") \"hidden\" | regex process=\"(?i)-w(indowStyle)?\\s+hidden\" | table _time, host, user, process, parent_process_name | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "splunk",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-11T15:36:11.000Z"
},
{
"created": "2025-04-14T12:31:06.929Z",
"id": "relationship--debeff5e-59b2-4488-8f05-582c7e766353",
"modified": "2025-04-14T12:31:06.929Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--c8d2710e-3629-425a-b5bb-cd37adbe3c5e",
"spec_version": "2.1",
"target_ref": "indicator--235006e1-cb36-43f6-a0b4-c19655855a02",
"type": "relationship"
},
{
"command_line": "powershell",
"defanged": false,
"id": "process--c8d2710e-3629-425a-b5bb-cd37adbe3c5e",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.929Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may abuse browser remote debugging features to extract sensitive data, maintain access, or facilitate communication with C2 servers. This is typically done by launching the browser with specific remote debugging flags, allowing remote access to browser sessions and potentially bypassing traditional security controls. This use case detects instances where a browser is started in remote debugging mode.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/browser_started_with_remote_debugging-nix/browser_started_with_remote_debugging-nix-splunk-edr.yml"
}
],
"id": "indicator--d593c1bc-ab66-412d-8f08-c6f139604b9b",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.929Z",
"name": "Browser Started with Remote Debugging - *nix",
"pattern": " `get_endpoint_data` `get_endpoint_data_edr` (TERM(Chrome) OR TERM(Chromium) OR TERM(Firefox) OR TERM(Edge)) (\"--remote-debugging-\" OR \"-start-debugger-\") | table _time, host, user, process, parent_process_name, process_path | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "spl",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-03-27T17:42:14.000Z"
},
{
"created": "2025-04-14T12:31:06.929Z",
"id": "relationship--c4d9d4f2-4163-48c4-9d6d-25202000f94b",
"modified": "2025-04-14T12:31:06.929Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--2d72fc3d-03f0-4465-96fd-3d491dd313dd",
"spec_version": "2.1",
"target_ref": "indicator--d593c1bc-ab66-412d-8f08-c6f139604b9b",
"type": "relationship"
},
{
"command_line": "Chrome",
"defanged": false,
"id": "process--2d72fc3d-03f0-4465-96fd-3d491dd313dd",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.929Z",
"id": "relationship--4784379d-7054-4d26-bce4-a4336507c72c",
"modified": "2025-04-14T12:31:06.929Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--efcdc25b-b7a3-4b1c-8a01-e9e0ecdc4f36",
"spec_version": "2.1",
"target_ref": "indicator--d593c1bc-ab66-412d-8f08-c6f139604b9b",
"type": "relationship"
},
{
"command_line": "Chromium",
"defanged": false,
"id": "process--efcdc25b-b7a3-4b1c-8a01-e9e0ecdc4f36",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.929Z",
"id": "relationship--12c8cf7d-3998-4972-a64f-9635777b3209",
"modified": "2025-04-14T12:31:06.929Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--1d8f1035-b61e-4294-9858-a76f61ec894b",
"spec_version": "2.1",
"target_ref": "indicator--d593c1bc-ab66-412d-8f08-c6f139604b9b",
"type": "relationship"
},
{
"command_line": "Firefox",
"defanged": false,
"id": "process--1d8f1035-b61e-4294-9858-a76f61ec894b",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.929Z",
"id": "relationship--82531f43-8eb8-42b0-9da9-4cf7db80957e",
"modified": "2025-04-14T12:31:06.929Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--575bd13c-1e8a-4781-84ae-228005a139ae",
"spec_version": "2.1",
"target_ref": "indicator--d593c1bc-ab66-412d-8f08-c6f139604b9b",
"type": "relationship"
},
{
"command_line": "Edge",
"defanged": false,
"id": "process--575bd13c-1e8a-4781-84ae-228005a139ae",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may install remote access tools (RATs) to maintain persistent access to compromised systems. Tools like SimpleHelp or JWrapper Remote Access are often abused for stealthy remote control, masquerading as legitimate IT support tools. This use case detects process creation events with file paths or executable names related to SimpleHelp Remote Access.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/simplehelp_remote_access_tool_execution/simplehelp_remote_access_tool_execution-splunk-sysmon.yml"
}
],
"id": "indicator--222ba0cd-72fd-4713-9426-029849ecf2ce",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "SimpleHelp Remote Access Tool Execution",
"pattern": "`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR \"<EventID>1<\")\n \"JWrapper-Remote\" OR \"SimpleHelp\" OR \"SimpleService\" OR \"SimpleGatewayService\" |\n where (match(process_name, \"(?i)(Simple(help(customer)?|service|gatewayservice)|remote\\saccess|windows\\slauncher)\\.exe\")\n and match(process_path, \"(?i)JWrapper-Remote\\s+(Access|Support)\")) or match(process_name,\n \"(?i)Simple(help(customer)?|service|gatewayservice)\\.exe\") | table _time, host,\n user, signature_id, process, process_name, process_path `group_events(\"host\", 5)` ",
"pattern_type": "anvilogic",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-10T19:46:17.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--e768bcc5-6dda-4631-88fc-a932d2edc9a8",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--32e72b14-4b65-4bd0-94ed-69e0952fb105",
"spec_version": "2.1",
"target_ref": "indicator--222ba0cd-72fd-4713-9426-029849ecf2ce",
"type": "relationship"
},
{
"command_line": "Simple(help(customer)?|service|gatewayservice)\\.exe",
"defanged": false,
"id": "process--32e72b14-4b65-4bd0-94ed-69e0952fb105",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--d4cfc470-1c08-4679-b008-a020c190b1f9",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--39edf791-2283-44cb-ac6c-1c9078a54a1c",
"spec_version": "2.1",
"target_ref": "indicator--222ba0cd-72fd-4713-9426-029849ecf2ce",
"type": "relationship"
},
{
"command_line": "remote access",
"defanged": false,
"id": "process--39edf791-2283-44cb-ac6c-1c9078a54a1c",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--9d2d13ae-ef72-4622-a459-8ba9e2a90a58",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--a2b65ef8-993d-4634-96a2-5ffcf97cd435",
"spec_version": "2.1",
"target_ref": "indicator--222ba0cd-72fd-4713-9426-029849ecf2ce",
"type": "relationship"
},
{
"command_line": "windows launcher",
"defanged": false,
"id": "process--a2b65ef8-993d-4634-96a2-5ffcf97cd435",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may install remote access tools (RATs) to maintain persistent access to compromised systems. Tools like SimpleHelp or JWrapper Remote Access are often abused for stealthy remote control, masquerading as legitimate IT support tools. This use case detects process creation events with file paths or executable names related to SimpleHelp Remote Access. - LOLRMM",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/simplehelp_remote_access_tool_execution/simplehelp_remote_access_tool_execution-splunk-edr.yml"
}
],
"id": "indicator--538c8721-a65a-438c-9167-02a2ef44968d",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "SimpleHelp Remote Access Tool Execution",
"pattern": "`get_endpoint_data` `get_endpoint_data_edr` \"JWrapper-Remote\" OR \"SimpleHelp\" OR \"SimpleService\" OR \"SimpleGatewayService\" | where (match(process_name, \"(?i)(Simple(help(customer)?|service|gatewayservice)|remote\\saccess|windows\\slauncher)\\.exe\") and match(process_path, \"(?i)JWrapper-Remote\\s+(Access|Support)\")) or match(process_name, \"(?i)Simple(help(customer)?|service|gatewayservice)\\.exe\") | table _time, host, user, signature_id, process, process_name, process_path `group_events(\"host\", 5)`",
"pattern_type": "anvilogic",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-10T19:46:17.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "The rule aims to detect the installation and operation of remote access tools such as SimpleHelp or JWrapper, often used for stealthy remote control under the guise of legitimate IT support tools. The detection logic targets specific process creation events and file paths associated with these tools.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/simplehelp_remote_access_tool_execution/simplehelp_remote_access_tool_execution-splunk-winevent.yml"
}
],
"id": "indicator--21bae9f8-7623-45f3-ae9a-15a9ccd2f375",
"indicator_types": [
"malicious-activity",
"command-and-control"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "SimpleHelp Remote Access Tool Execution",
"pattern": "`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR \"<EventID>4688<\" OR Type=Process) \"JWrapper-Remote\" OR \"SimpleHelp\" OR \"SimpleService\" OR \"SimpleGatewayService\" | where (match(process_name, \"(?i)(Simple(help(customer)?|service|gatewayservice)|remote\\saccess|windows\\slauncher)\\.exe\") and match(process_path, \"(?i)JWrapper-Remote\\s+(Access|Support)\")) or match(process_name, \"(?i)Simple(help(customer)?|service|gatewayservice)\\.exe\") | table _time, host, user, signature_id, process, process_name, process_path `group_events(\"host\", 5)` ",
"pattern_type": "anvilogic",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-10T19:46:17.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may attempt to conceal their activity involving PowerShell windows by setting the WindowStyle parameter to hidden. This technique can be used by threat actors to evade detection and reduce suspicion. The rule detects PowerShell executions with hidden window commands using process creation logs, highlighting the need for PowerShell logging.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/powershell_hidden_window/powershell_hidden_window-splunk-powershell.yml"
}
],
"id": "indicator--900d298b-a015-4523-885e-1dc14e757c44",
"indicator_types": [
"defense-evasion",
"execution"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "PowerShell Hidden Window",
"pattern": "`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4104) OR \"<EventID>4104<\" OR TERM(EventCode=4103) OR \"<EventID>4103<\") (\"-WindowStyle\" OR \"-w\") \"hidden\" | regex process=\"(?i)-w(indowStyle)?\\s+hidden\" | table _time, host, user, process, parent_process_name | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "splunk",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-11T15:36:11.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--b7c6f775-e53e-4b20-9884-436504cd67f3",
"description": "Detects the use of the 'Get-ADComputer' cmdlet to identify systems configured for unconstrained delegation. Helps discover unauthorized attempts to access special properties of Active Directory computers. This detection leverages Script Block Text to capture specific properties often queried in these scenarios.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_potential_unconstrained_delegation_discovery.yml"
}
],
"id": "indicator--7690f011-bb71-41b5-a250-0ec1be0a6147",
"indicator_types": [
"malicious-activity",
"discovery"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock",
"pattern": "title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock\nid: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5\nstatus: experimental\ndescription: Detects the use of the \"Get-ADComputer\" cmdlet in order to identify systems which are configured for unconstrained delegation.\nreferences:\n - https://pentestlab.blog/2022/03/21/unconstrained-delegation/\n - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps\nauthor: frack113\ndate: 2025-03-05\ntags:\n - attack.reconnaissance\n - attack.discovery\n - attack.credential-access\n - attack.t1018\n - attack.t1558\n - attack.t1589.002\nlogsource:\n product: windows\n category: ps_script\n definition: 'Requirements: Script Block Logging must be enable'\ndetection:\n selection:\n ScriptBlockText|contains:\n - '-Properties*TrustedForDelegation'\n - '-Properties*TrustedToAuthForDelegation'\n - '-Properties*msDS-AllowedToDelegateTo'\n - '-Properties*PrincipalsAllowedToDelegateToAccount'\n - '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'\n condition: selection\nfalsepositives:\n - Legitimate use of the library for administrative activity\nlevel: medium\n",
"pattern_type": "sigma",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-07T09:02:17.000Z"
},
{
"contact_information": "https://github.com/SigmaHQ/sigma",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--b7c6f775-e53e-4b20-9884-436504cd67f3",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "SigmaHQ",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--71847679-ee68-441f-a281-8dc38deece1d",
"description": "Detects StealC v2 malware using specific hex patterns in executable files.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/RussianPanda95/Yara-Rules/blob/main/StealC/win_mal_StealC_v2.yar"
}
],
"id": "indicator--29f3a9b4-4c22-4391-90ae-30d7e9d18a30",
"indicator_types": [
"malicious-activity",
"attribution"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "win_mal_StealC_v2",
"pattern": "rule win_mal_StealC_v2 {\n meta:\n author = \"RussianPanda\"\n description = \"Detects StealC v2\"\n hash = \"bc7e489815352f360b6f0c0064e1d305db9150976c4861b19b614be0a5115f97\"\n date = \"4/10/2025\"\n strings:\n $s1 = {48 8d ?? ?? ?? ?? 00 48 8d}\n $s2 = {0F B7 C8 81 E9 19 04 00 00 74 14 83 E9 09 74 0F 83 E9 01 74 0A 83 E9 1C 74 05 83 F9 04 75 08}\n condition:\n uint16(0) == 0x5A4D and #s1 > 500 and all of them and filesize < 900KB\n}",
"pattern_type": "yara",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-10T20:56:34.000Z"
},
{
"contact_information": "https://github.com/RussianPanda95/Yara-Rules",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--71847679-ee68-441f-a281-8dc38deece1d",
"identity_class": "individual",
"modified": "2025-04-06T16:27:59.769Z",
"name": "RussianPanda95",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--71847679-ee68-441f-a281-8dc38deece1d",
"description": "Detects AMOS Stealer infections based on specific patterns in the file header and byte sequences.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/RussianPanda95/Yara-Rules/blob/main/AMOS/amos_stealer_4_25.yar"
}
],
"id": "indicator--7216c3dd-ef7f-4e5b-a1c6-6242d54dab54",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "AMOS_Stealer",
"pattern": "rule AMOS_Stealer\n{\n meta:\n description = \"Detects AMOS Stealer\"\n author = \"RussianPanda\"\n date = \"2025-04-11\"\n hash = \"55663778a8c593b77a82ea1be072c73dd6a1d7a9567bbfbfad7d3dec9f672996\"\n \n strings:\n $op1 = {E8 ?? ?? ?? ?? EB 00 48 8D}\n $op2 = {48 8D BD ?? ?? FF FF E8 ?? ?? 00 00 48 8D BD}\n \n condition:\n (\n uint32(0) == 0xfeedface or\n uint32(0) == 0xcefaedfe or \n uint32(0) == 0xfeedfacf or \n uint32(0) == 0xcffaedfe or \n uint32(0) == 0xcafebabe or \n uint32(0) == 0xbebafeca or\n uint32(0) == 0xcafebabf or\n uint32(0) == 0xbfbafeca\n ) and (#op1 > 50000 and #op2 > 4)\n}\n",
"pattern_type": "yara",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-01T04:03:22.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--c7ebc9b7-769b-40e1-ab0e-e6349394ca3e",
"description": "Detects resources embedded within Octowave Loader MSI installers. This YARA rule looks for specific characteristics such as file size, specific embedded strings, and known malicious hashes. It is targeted at identifying potential threats embedded within MSI files.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_octowave_installer_mar25.yar"
}
],
"id": "indicator--3eea84fa-3849-4a33-a965-6f53239ca94e",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Octowave_Installer_03_2025",
"pattern": "rule Octowave_Installer_03_2025\n{\n meta:\n description = \"Detects resources embedded within Octowave Loader MSI installers\"\n author = \"Jai Minton (@CyberRaiju) - HuntressLabs\"\n date = \"2025-03-28\"\n license = \"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE\"\n yt_reference = \"https://www.youtube.com/watch?v=NiNIbkiuExU\"\n reference = \"https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19\"\n hash1 = \"05b025b8475c0acbc9a5d2cd13c15088a2fb452aa514d0636f145e1c4c93e6ee\"\n hash2 = \"500462c4fb6e4d0545f04d63ef981d9611b578948e5cfd61d840ff8e2f206587\"\n hash3 = \"5ee9e74605b0c26b39b111a89139d95423e54f7a54decf60c7552f45b8b60407\"\n hash4 = \"76efc8c64654d8f2318cc513c0aaf0da612423b1715e867b4622712ba0b3926f\"\n hash5 = \"c3e2af892b813f3dcba4d0970489652d6f195b7985dc98f08eaddca7727786f0\"\n hash6 = \"d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6\"\n hash7 = \"e93969a57ef2a7aee13a159cbf2015e2c8219d9153078e257b743d5cd90f05cb\"\n hash8 = \"45984ae78d18332ecb33fe3371e5eb556c0db86f1d3ba8a835b72cd61a7eeecf\"\n id = \"56685a0a-523d-4060-a008-aa28542cb85c\"\n strings:\n $string1 = \"LaunchConditionsValidateProductIDProcessComponentsUnpublishFeaturesRemoveFilesRegisterUserRegisterProductInstalled OR PhysicalMemory >= 2048\" ascii\n $string2 = \".cab\" ascii\n $string3 = \".wav\" ascii\n $string4 = \".dll\" ascii\n \n $supporting1 = \".raw\" ascii\n $supporting2 = \".db\" ascii\n $supporting3 = \".pak\" ascii\n $supporting4 = \".bin\" ascii\n $supporting5 = \".bak\" ascii\n $supporting6 = \".dat\" ascii\n condition:\n (uint32(0) == 0xe011cfd0)\n and filesize < 200000KB\n and all of ($string*)\n and 1 of ($supporting*)\n}",
"pattern_type": "yara",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-07T22:37:42.000Z"
},
{
"contact_information": "https://github.com/Neo23x0/signature-base",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--c7ebc9b7-769b-40e1-ab0e-e6349394ca3e",
"identity_class": "individual",
"modified": "2025-04-06T16:27:59.769Z",
"name": "Neo23x0",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--c7ebc9b7-769b-40e1-ab0e-e6349394ca3e",
"description": "This Yara rule is designed to detect the main components of the first version of RALord Ransomware. It includes specific code patterns and strings associated with this ransomware family. The rule aims to identify the presence of these components in a given file by matching certain byte patterns and string sets, signaling potential malware activity.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_ralordv1_win_ap25.yar"
}
],
"id": "indicator--bdf31324-0657-4e18-9845-16b1da2bc086",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "mal_ralordv1_win_ap25",
"pattern": "rule mal_ralordv1_win_ap25 {\n meta:\n description = \"This ISH Tecnologia Yara rule, detects the main components of the first version of RALord Ransomware\"\n author = \"0x0d4y-Ícaro César\"\n date = \"2025-04-01\"\n score = 100\n reference = \"https://ish.com.br/wp-content/uploads/2025/04/RALord-Novo-grupo-de-Ransomware-as-a-Service-1.pdf\"\n hash = \"BE15F62D14D1CBE2AECCE8396F4C6289\"\n uuid = \"67254633-3597-4770-9806-8b2e26c8f66a\"\n license = \"CC BY 4.0\"\n rule_matching_tlp = \"TLP:WHITE\"\n rule_sharing_tlp = \"TLP:WHITE\"\n malpedia_family = \"win.ralord\"\n\n strings:\n $code_pattern_quarterround = { 4? 31 ?? 48 8b ?? ?? ?? 4? 31 ?? 48 8b ?? ?? ?? 31 e8 4? 31 ?? 41 c1 ?? 0c c1 ?? 0c c1 ?? 0c 48 89 c2 c1 ?? 0c }\n $code_pattern_custom_alg = { 0f 57 ?? 0f 10 ?? c5 ?? ?? ?? ?? 0f 57 ?? 0f 10 ?? c5 ?? ?? ?? ?? 0f 57 ?? 0f 10 ?? c5 ?? ?? ?? ?? 0f 57 ?? 0f 11 ?? c5 ?? ?? ?? ?? 0f 11 ?? c5 ?? ?? ?? ?? 0f 11 ?? c5 ?? ?? ?? ?? 0f 11 ?? c5 ?? ?? ?? ?? 48 83 c0 08 48 3d 8? }\n $ralord_str_I = \"chacha\" wide ascii\n $ralord_str_II = \"scorp\" wide ascii\n $ralord_str_III = \"RALord\" wide ascii\n $ralord_str_IV = \"onion\" wide ascii\n $ralord_str_V = \"/rust\" wide ascii\n $ralord_str_VI = \"BCryptGenRandom\" wide ascii\n\n condition:\n uint16(0) == 0x5a4d and\n all of ($code_pattern_*) and\n 4 of ($ralord_str_*)\n}",
"pattern_type": "yara",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-07T20:32:54.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Detects when unsigned executable is loaded into process address space. The module is considered unsigned if it lacks the cert in the PE security directory.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/macros/macros.yml"
}
],
"id": "indicator--ec1fd8d3-46d3-4113-a22b-a676d3625942",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "load_unsigned_executable",
"pattern": "- macro: load_unsigned_executable\n expr: >\n load_executable\n and\n image.signature.type = 'NONE'",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2022-11-12T22:08:03.000Z"
},
{
"contact_information": "https://github.com/rabbitstack/fibratus",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"identity_class": "individual",
"modified": "2025-04-06T16:27:59.769Z",
"name": "rabbitstack",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Identifies the execution of a suspicious Netsh Helper DLL. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe is a command-line scripting utility used to interact with the network configuration of a system. It supports the addition of custom DLLs to extend its functionality that attackers can weaponize.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/persistence_suspicious_netsh_helper_dll_execution.yml"
}
],
"id": "indicator--5acf006c-a188-481e-b5b1-ce18b185acb9",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Suspicious Netsh Helper DLL execution",
"pattern": "sequence\n maxspan 1m\n |spawn_process and (ps.child.name ~= 'netsh.exe' or ps.child.pe.file.name ~= 'netsh.exe')| by ps.child.uuid\n |create_thread and foreach(thread._callstack, $frame, $frame.symbol imatches '*!InitHelperDll' \n and ($frame.module.signature.is_signed = false or $frame.module.signature.is_trusted = false))\n | by ps.uuid",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-01T17:30:54.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--97665e06-2e24-4c20-9e27-8dc305828ad9",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--f001d35b-2c8f-457c-8d48-c6e068f3e93a",
"spec_version": "2.1",
"target_ref": "indicator--5acf006c-a188-481e-b5b1-ce18b185acb9",
"type": "relationship"
},
{
"command_line": "netsh.exe",
"defanged": false,
"id": "process--f001d35b-2c8f-457c-8d48-c6e068f3e93a",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function. Adversaries can use this technique to dump credentials material from the LSASS fork and evade defenses. This detection helps identify attempts to access sensitive process memory by malicious actors.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/credential_access_lsass_process_clone_creation_via_reflection.yml"
}
],
"id": "indicator--e92bae2e-7b6e-4949-bb3a-bc05e10b07db",
"indicator_types": [
"malicious-activity",
"compromised"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "LSASS process clone creation via reflection",
"pattern": "spawn_process and ps.name ~= 'lsass.exe' and ps.child.name ~= 'lsass.exe' and thread.callstack.symbols imatches ('ntdll.dll!RtlCloneUserProcess', 'ntdll.dll!RtlCreateProcessReflection')",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-08T19:36:03.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--8d4db68b-2fc2-4850-b3ac-a83efa2e6aae",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--30c9367c-c8bd-43cc-8b3b-f3057d044eb0",
"spec_version": "2.1",
"target_ref": "indicator--e92bae2e-7b6e-4949-bb3a-bc05e10b07db",
"type": "relationship"
},
{
"command_line": "lsass.exe",
"defanged": false,
"id": "process--30c9367c-c8bd-43cc-8b3b-f3057d044eb0",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Identifies suspicious process accessing the Windows hosts file for potential tampering. Adversaries can hijack the hosts files to block traffic to download/update servers or redirect the traffic to arbitrary servers under their control.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml"
}
],
"id": "indicator--364597f7-d026-43c5-bf6e-f5d38c977894",
"indicator_types": [
"anomalous-activity",
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Suspicious access to the hosts file",
"pattern": "sequence\nmaxspan 5m\n |spawn_process and not ps.child.exe imatches \n (\n '?:\\Windows\\servicing\\TrustedInstaller.exe',\n '?:\\Windows\\System32\\svchost.exe',\n '?:\\Windows\\System32\\MicrosoftEdgeUpdate.exe',\n '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n )\n | by ps.child.uuid\n |open_file and file.path imatches '?:\\Windows\\System32\\drivers\\etc\\hosts'| by ps.uuid",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-11T15:54:04.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--2b89600b-97df-46f7-9815-fab8ed66ff66",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "directory--f48c4bc1-4eff-58ea-97db-793418f8daaa",
"spec_version": "2.1",
"target_ref": "indicator--364597f7-d026-43c5-bf6e-f5d38c977894",
"type": "relationship"
},
{
"defanged": false,
"id": "directory--f48c4bc1-4eff-58ea-97db-793418f8daaa",
"path": "?:\\Windows\\servicing",
"spec_version": "2.1",
"type": "directory"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--4b1b3c51-4eca-4707-895f-26a6851c8c47",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "directory--79b0bb5d-537d-5caf-a080-d1a16fa0e2cf",
"spec_version": "2.1",
"target_ref": "indicator--364597f7-d026-43c5-bf6e-f5d38c977894",
"type": "relationship"
},
{
"defanged": false,
"id": "directory--79b0bb5d-537d-5caf-a080-d1a16fa0e2cf",
"path": "?:\\Windows\\System32",
"spec_version": "2.1",
"type": "directory"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--26144f08-60a2-443d-8fb3-745fe3743534",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "directory--0b81ddd6-02ea-5fa8-83e1-d38b0ac92b8e",
"spec_version": "2.1",
"target_ref": "indicator--364597f7-d026-43c5-bf6e-f5d38c977894",
"type": "relationship"
},
{
"defanged": false,
"id": "directory--0b81ddd6-02ea-5fa8-83e1-d38b0ac92b8e",
"path": "?:\\Program Files (x86)",
"spec_version": "2.1",
"type": "directory"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--4d99bddf-4fac-4686-80c2-c2898d2fe308",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--87f81257-8710-47a6-a649-df859b93ba88",
"spec_version": "2.1",
"target_ref": "indicator--364597f7-d026-43c5-bf6e-f5d38c977894",
"type": "relationship"
},
{
"command_line": "TrustedInstaller.exe",
"defanged": false,
"id": "process--87f81257-8710-47a6-a649-df859b93ba88",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--0b531753-36ec-4a00-bb94-571b37964207",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--66af4cf0-4804-4b6b-bd8b-e5a45ab850b5",
"spec_version": "2.1",
"target_ref": "indicator--364597f7-d026-43c5-bf6e-f5d38c977894",
"type": "relationship"
},
{
"command_line": "svchost.exe",
"defanged": false,
"id": "process--66af4cf0-4804-4b6b-bd8b-e5a45ab850b5",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--8a935c4e-1a90-4aa9-a35b-0f841a718419",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--69b508fe-2ccd-491c-8aef-1694e1b551a9",
"spec_version": "2.1",
"target_ref": "indicator--364597f7-d026-43c5-bf6e-f5d38c977894",
"type": "relationship"
},
{
"command_line": "MicrosoftEdgeUpdate.exe",
"defanged": false,
"id": "process--69b508fe-2ccd-491c-8aef-1694e1b551a9",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--f3652acf-d3af-497e-ac0e-9975dc5c29a8",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--2cec5c28-74c6-4293-9e9b-5ca77bb4dbf7",
"spec_version": "2.1",
"target_ref": "indicator--364597f7-d026-43c5-bf6e-f5d38c977894",
"type": "relationship"
},
{
"command_line": "msedge.exe",
"defanged": false,
"id": "process--2cec5c28-74c6-4293-9e9b-5ca77bb4dbf7",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). Adversaries may try to dump credential information stored in the process memory of LSASS.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/credential_access_lsass_access_from_unsigned_executable.yml"
}
],
"id": "indicator--efc675df-62cd-4dfd-8146-c0cd483b4075",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "LSASS access from unsigned executable",
"pattern": "name: LSASS access from unsigned executable\nid: 348bf896-2201-444f-b1c9-e957a1f063bf\nversion: 1.0.0\ndescription: |\n Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). \n Adversaries may try to dump credential information stored in the process memory of LSASS.\nlabels:\n tactic.id: TA0006\n tactic.name: Credential Access\n tactic.ref: https://attack.mitre.org/tactics/TA0006/\n technique.name: OS Credential Dumping\n technique.ref: https://attack.mitre.org/techniques/T1003/\n subtechnique.id: T1003.001\n subtechnique.name: LSASS Memory\n subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/\nreferences:\n - https://redcanary.com/threat-detection-report/techniques/lsass-memory/\n\ncondition: >\n sequence\n maxspan 7m\n by ps.uuid\n |load_unsigned_executable|\n |((open_process) or (open_thread)) and kevt.arg[exe] imatches '?:\\\\Windows\\\\System32\\\\lsass.exe'|\naction:\n - name: kill\n\noutput: >\n Unsigned executable %1.image.path attempted to access Local Security Authority Subsystem Service\nseverity: high\n\nmin-engine-version: 2.2.0\n",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-03-27T17:26:55.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Adversaries may employ the undocumented EtwpCreateEtwThread function to execute shellcode within the local process address space. This rule detects the usage of this API to identify potential attempts to inject code into processes. By monitoring for specific call stack symbols and excluding known benign processes, it aims to identify malicious activity that employs this technique.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/defense_evasion_potential_shellcode_execution_via_etw_logger_thread.yml"
}
],
"id": "indicator--505e6a65-9ea6-43c1-a0f4-9645fb34c7ef",
"indicator_types": [
"compromised",
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Potential shellcode execution via ETW logger thread",
"pattern": "name: Potential shellcode execution via ETW logger thread\nid: 3e915273-5ea0-4576-afc9-b018e2d53545\nversion: 1.0.0\ndescription: |\n Adversaries may employ the undocumented EtwpCreateEtwThread function to execute shellcode \n within the local process address space.\nlabels:\n tactic.id: TA0005\n tactic.name: Defense Evasion\n tactic.ref: https://attack.mitre.org/tactics/TA0005/\n technique.id: T1055\n technique.name: Process Injection\n technique.ref: https://attack.mitre.org/techniques/T1055/\nreferences:\n - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm\n - https://github.com/Ne0nd0g/go-shellcode/tree/master?tab=readme-ov-file#EtwpCreateEtwThread\n\ncondition: >\n create_thread and kevt.pid != 4 and thread.callstack.symbols iin ('ntdll.dll!EtwpCreateEtwThread')\n and\n not\n (ps.exe imatches\n (\n '?:\\\\WINDOWS\\\\System32\\\\ProvTool.exe',\n '?:\\\\Windows\\\\System32\\\\LogonUI.exe'\n )\n or\n thread.callstack.symbols imatches ('ntdll.dll!EtwProcessPrivateLoggerRequest', 'sechost.dll!ControlTrace*')\n )\n\noutput: >\n Potential shellcode execution via EtwpCreateEtwThread API initiated by process %ps.exe\nseverity: high\n\nmin-engine-version: 2.2.0\n",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-02T21:44:30.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--ea730a2b-67ba-4a1c-a895-2fed3522e7e5",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "directory--1b8d7020-2cfd-5270-bb16-d833cee25786",
"spec_version": "2.1",
"target_ref": "indicator--505e6a65-9ea6-43c1-a0f4-9645fb34c7ef",
"type": "relationship"
},
{
"defanged": false,
"id": "directory--1b8d7020-2cfd-5270-bb16-d833cee25786",
"path": "?:\\WINDOWS\\System32\\",
"spec_version": "2.1",
"type": "directory"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--6d33d055-edf4-4394-ab48-b8f6bb791df8",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "directory--7c29f3ec-f10f-5f35-a355-bf5eb4c5893e",
"spec_version": "2.1",
"target_ref": "indicator--505e6a65-9ea6-43c1-a0f4-9645fb34c7ef",
"type": "relationship"
},
{
"defanged": false,
"id": "directory--7c29f3ec-f10f-5f35-a355-bf5eb4c5893e",
"path": "?:\\Windows\\System32\\",
"spec_version": "2.1",
"type": "directory"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--3bbe822a-7696-40e4-9542-66116aeaa701",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--bb927e39-93e8-4730-a665-b432c93bfc01",
"spec_version": "2.1",
"target_ref": "indicator--505e6a65-9ea6-43c1-a0f4-9645fb34c7ef",
"type": "relationship"
},
{
"command_line": "ntdll.dll!EtwpCreateEtwThread",
"defanged": false,
"id": "process--bb927e39-93e8-4730-a665-b432c93bfc01",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--b8a0775e-e6c2-47ac-82ee-86c11ab78940",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--f60345ce-ac7c-4082-8c7f-cbf6c52f3b47",
"spec_version": "2.1",
"target_ref": "indicator--505e6a65-9ea6-43c1-a0f4-9645fb34c7ef",
"type": "relationship"
},
{
"command_line": "ntdll.dll!EtwProcessPrivateLoggerRequest",
"defanged": false,
"id": "process--f60345ce-ac7c-4082-8c7f-cbf6c52f3b47",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--d99eee76-9667-4573-a112-f1726f4e9488",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--81bb467d-9390-4f57-9a89-ca5d358492c3",
"spec_version": "2.1",
"target_ref": "indicator--505e6a65-9ea6-43c1-a0f4-9645fb34c7ef",
"type": "relationship"
},
{
"command_line": "sechost.dll!ControlTrace*",
"defanged": false,
"id": "process--81bb467d-9390-4f57-9a89-ca5d358492c3",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "The rule identifies suspicious access to the LSASS process from a callstack pointing to seclogon.dll, which may be indicative of an attempt to leak an LSASS handle via the Secondary Logon service. This behavior is often associated with credential access activities such as OS Credential Dumping.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/credential_access_lsass_handle_leak_via_seclogon.yml"
}
],
"id": "indicator--016ff705-d5f6-4fb5-9a9c-7a0e4c051d21",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "LSASS handle leak via Seclogon",
"pattern": "open_process and kevt.arg[exe] imatches '?:\\\\Windows\\\\System32\\\\lsass.exe' and ps.name ~= 'svchost.exe' and ps.access.mask.names in ('CREATE_PROCESS', 'DUP_HANDLE') and thread.callstack.modules imatches ('*seclogon.dll')",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-03-27T21:25:34.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--49853ebd-27e8-489b-8637-b00e6ddc14ff",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "file--f0540a42-c82f-53bb-a0b8-c7dbc48ae731",
"spec_version": "2.1",
"target_ref": "indicator--016ff705-d5f6-4fb5-9a9c-7a0e4c051d21",
"type": "relationship"
},
{
"defanged": false,
"hashes": {},
"id": "file--f0540a42-c82f-53bb-a0b8-c7dbc48ae731",
"name": "lsass.exe",
"spec_version": "2.1",
"type": "file"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--1da2dc20-e31d-4c22-9275-2d7d858d8a55",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--400d7006-97fa-40f6-9985-4a4e3ebb8264",
"spec_version": "2.1",
"target_ref": "indicator--016ff705-d5f6-4fb5-9a9c-7a0e4c051d21",
"type": "relationship"
},
{
"command_line": "svchost.exe",
"defanged": false,
"id": "process--400d7006-97fa-40f6-9985-4a4e3ebb8264",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Detects attempts to bypass the standard NTDLL bootstrap process by loading a malicious DLL early through hijacking. The malicious DLL, containing attacker-controlled code, is loaded in place of the legitimate kernel32 DLL. This rule aims to identify such hijacking endeavors by focusing on the DLL's early loading footprint within the system.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/defense_evasion_dll_loaded_via_ldrpkernel32_overwrite.yml"
}
],
"id": "indicator--239104ec-f5f9-4514-ae16-63f81268ab51",
"indicator_types": [
"malicious-activity",
"defense-evasion"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "DLL loaded via LdrpKernel32 overwrite",
"pattern": "name: DLL loaded via LdrpKernel32 overwrite\nid: 56739eda-210f-4a30-a114-d55ca60976df\nversion: 1.0.0\ndescription: |\n Detects attempts to bypass the standard NTDLL bootstrap process by loading a malicious DLL early through hijacking. \n The malicious DLL, containing attacker-controlled code, is loaded in place of the legitimate kernel32 DLL.\nlabels:\n tactic.id: TA0005\n tactic.name: Defense Evasion\n tactic.ref: https://attack.mitre.org/tactics/TA0005/\n technique.name: Hijack Execution Flow\n technique.ref: https://attack.mitre.org/techniques/T1574/\n subtechnique.id: T1574.001\n subtechnique.name: DLL Search Order Hijacking\n subtechnique.ref: https://attack.mitre.org/techniques/T1574/001/\nreferences:\n - https://github.com/rbmm/LdrpKernel32DllName\n - https://www.elastic.co/security-labs/peeling-back-the-curtain-with-call-stacks\n\ncondition: >\n (load_unsigned_or_untrusted_dll) and thread.callstack.symbols imatches ('*!BaseThreadInitThunk*')\n and\n not\n foreach(thread._callstack, $frame, \n $frame.symbol imatches ('?:\\\\Windows\\\\System32\\\\kernel32.dll!BaseThreadInitThunk*',\n '?:\\\\Windows\\\\SysWOW64\\\\kernel32.dll!BaseThreadInitThunk*',\n '?:\\\\Windows\\\\WinSxS\\\\*\\\\kernel32.dll!BaseThreadInitThunk*',\n '?:\\\\Windows\\\\WinSxS\\\\Temp\\\\PendingDeletes\\\\*!BaseThreadInitThunk*',\n '\\\\Device\\\\*\\\\Windows\\\\*\\\\kernel32.dll!BaseThreadInitThunk*')) and\n not image.path imatches '?:\\\\Windows\\\\assembly\\\\NativeImages_*\\\\System.Numerics.ni.dll'\naction:\n - name: kill\n\noutput: >\n DLL %image.path loaded via LdrpKernel32 overwrite evasion by process %ps.exe\nseverity: high\n\nmin-engine-version: 2.4.0\n",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-11T15:52:39.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--50fe83c3-d638-475c-9f4c-e78909a8142d",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "directory--79b0bb5d-537d-5caf-a080-d1a16fa0e2cf",
"spec_version": "2.1",
"target_ref": "indicator--239104ec-f5f9-4514-ae16-63f81268ab51",
"type": "relationship"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--e9fadec5-0841-4c97-b37f-c45ed32fe51b",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "directory--9f8a3596-5591-5d44-99a9-f446a87405f7",
"spec_version": "2.1",
"target_ref": "indicator--239104ec-f5f9-4514-ae16-63f81268ab51",
"type": "relationship"
},
{
"defanged": false,
"id": "directory--9f8a3596-5591-5d44-99a9-f446a87405f7",
"path": "?:\\Windows\\SysWOW64",
"spec_version": "2.1",
"type": "directory"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--2bfb0f2e-71d0-4caa-a11b-8a302b076f59",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "directory--11f9267d-00f6-5d43-9c87-2648973cc89a",
"spec_version": "2.1",
"target_ref": "indicator--239104ec-f5f9-4514-ae16-63f81268ab51",
"type": "relationship"
},
{
"defanged": false,
"id": "directory--11f9267d-00f6-5d43-9c87-2648973cc89a",
"path": "?:\\Windows\\WinSxS",
"spec_version": "2.1",
"type": "directory"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--ea06bfb7-bd75-49d7-abaa-4a471ed20a67",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "directory--f84281f6-d000-51c4-a65b-6f1585470da2",
"spec_version": "2.1",
"target_ref": "indicator--239104ec-f5f9-4514-ae16-63f81268ab51",
"type": "relationship"
},
{
"defanged": false,
"id": "directory--f84281f6-d000-51c4-a65b-6f1585470da2",
"path": "?:\\Windows\\WinSxS\\Temp\\PendingDeletes",
"spec_version": "2.1",
"type": "directory"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--e9a76c73-80d3-460a-bf3a-0bcdecac2cd0",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "directory--1b55eec0-4e1f-5251-b7bf-76c9601e169e",
"spec_version": "2.1",
"target_ref": "indicator--239104ec-f5f9-4514-ae16-63f81268ab51",
"type": "relationship"
},
{
"defanged": false,
"id": "directory--1b55eec0-4e1f-5251-b7bf-76c9601e169e",
"path": "\\Device\\*\\Windows\\*",
"spec_version": "2.1",
"type": "directory"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Identifies a suspicious process execution via Windows Management Instrumentation (WMI) originating from a Microsoft Office process loading an unusual WMI DLL. This technique can indicate code execution evading traditional parent/child processes spawned from Microsoft Office products.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml"
}
],
"id": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Suspicious execution via WMI from a Microsoft Office process",
"pattern": "name: Suspicious execution via WMI from a Microsoft Office process\nid: cc3f0bbe-ec53-40a7-9eed-f0a8a3f7d7fa\nversion: 1.0.0\ndescription: |\n Identifies a suspicious process execution via Windows Management Instrumentation (WMI)\n originated from the Microsoft Office process loading an unusual WMI DLL. This technique\n can indicate code execution evading traditional parent/child processes spawned from Microsoft \n Office products.\nlabels:\n tactic.id: TA0001\n tactic.name: Initial Access\n tactic.ref: https://attack.mitre.org/tactics/TA0001/\n technique.id: T1566\n technique.name: Phishing\n technique.ref: https://attack.mitre.org/techniques/T1566/\n subtechnique.id: T1566.001\n subtechnique.name: Spearphishing Attachment\n subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/\nreferences:\n - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html\n - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\n\ncondition: >\n sequence\n maxspan 1m\n |load_dll and image.name iin ('wmiclnt.dll', 'wbemcomn.dll', 'wmiprov.dll', 'wbemprox.dll', 'wmutils.dll', 'fastprox.dll', 'WMINet_Utils.dll') \n and \n (ps.name iin msoffice_binaries or thread.callstack.modules imatches ('*vbe?.dll'))\n | by ps.sid\n |spawn_process and ps.name iin ('wmiprvse.exe', 'wmiapsrv.exe') and (ps.child.exe imatches ('?:\\\\Users\\\\*.exe', '?:\\\\ProgramData\\\\*.exe')\n or\n ps.child.name iin \n (\n 'rundll32.exe',\n 'regsvr32.exe',\n 'hh.exe',\n 'cmd.exe',\n 'pwsh.exe',\n 'powershell.exe',\n 'mshta.exe',\n 'certutil.exe',\n 'bitsadmin.exe',\n 'cscript.exe',\n 'wscript.exe',\n 'jsc.exe',\n 'vssadmin.exe',\n 'curl.exe',\n 'wget.exe',\n 'sc.exe',\n 'reg.exe',\n 'schtasks.exe',\n 'msxsl.exe',\n 'msbuild.exe',\n 'regasm.exe',\n 'regsvcs.exe',\n 'wmic.exe',\n 'msiexec.exe'\n )\n or\n ps.child.pe.file.name iin \n (\n 'rundll32.exe',\n 'regsvr32.exe',\n 'hh.exe',\n 'cmd.exe',\n 'pwsh.exe',\n 'powershell.exe',\n 'mshta.exe',\n 'certutil.exe',\n 'bitsadmin.exe',\n 'cscript.exe',\n 'wscript.exe',\n 'jsc.exe',\n 'vssadmin.exe',\n 'curl.exe',\n 'wget.exe',\n 'sc.exe',\n 'reg.exe',\n 'schtasks.exe',\n 'msxsl.exe',\n 'msbuild.exe',\n 'regasm.exe',\n 'regsvcs.exe',\n 'wmic.exe',\n 'msiexec.exe'\n )\n )\n | by ps.child.sid\n\noutput: >\n Suspicious process %2.ps.child.exe launched via WMI from Microsoft Office process %1.ps.cmdline\nseverity: high\n\nmin-engine-version: 2.2.0\n",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-06T17:48:28.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--4d79bc4e-f8d4-493b-9073-0ee47aae762d",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "file--62b1a564-7875-51fe-afe1-7f5b99453ebd",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"defanged": false,
"hashes": {},
"id": "file--62b1a564-7875-51fe-afe1-7f5b99453ebd",
"name": "wmiclnt.dll",
"spec_version": "2.1",
"type": "file"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--e7694e71-0edc-4079-8f73-402df34f45ab",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "file--e390be1f-3517-5972-93f0-20e2a783383f",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"defanged": false,
"hashes": {},
"id": "file--e390be1f-3517-5972-93f0-20e2a783383f",
"name": "wbemcomn.dll",
"spec_version": "2.1",
"type": "file"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--d9205724-1969-441c-b857-6c751e54355a",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "file--808c3933-b2cb-54d9-a720-5f128c4c3934",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"defanged": false,
"hashes": {},
"id": "file--808c3933-b2cb-54d9-a720-5f128c4c3934",
"name": "wmiprov.dll",
"spec_version": "2.1",
"type": "file"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--b797160e-8ac1-48f1-85d6-eb2f5392b5b2",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "file--7bff4c43-eaf8-581b-8070-b623119e5d85",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"defanged": false,
"hashes": {},
"id": "file--7bff4c43-eaf8-581b-8070-b623119e5d85",
"name": "wbemprox.dll",
"spec_version": "2.1",
"type": "file"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--5f419fbb-7bb5-4e59-9ba1-1e3d466ac9a4",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "file--b5d8f4f2-b71b-5897-87ce-73b0adc4a2f2",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"defanged": false,
"hashes": {},
"id": "file--b5d8f4f2-b71b-5897-87ce-73b0adc4a2f2",
"name": "wmutils.dll",
"spec_version": "2.1",
"type": "file"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--a01ab288-0513-46e1-bc5e-fbe8c17e5755",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "file--b603b1bf-c3ea-5246-bc01-41cc1072367a",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"defanged": false,
"hashes": {},
"id": "file--b603b1bf-c3ea-5246-bc01-41cc1072367a",
"name": "fastprox.dll",
"spec_version": "2.1",
"type": "file"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--f94a3d99-68a6-439a-83ef-b82efb9153c2",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "file--fc24c43d-020f-59b0-8ddc-6d9414aebac1",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"defanged": false,
"hashes": {},
"id": "file--fc24c43d-020f-59b0-8ddc-6d9414aebac1",
"name": "WMINet_Utils.dll",
"spec_version": "2.1",
"type": "file"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--ce2dfae1-7256-4492-8102-7388d410f1dd",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--89e07838-c874-4d82-bde9-cbcc06986d22",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "wmiprvse.exe",
"defanged": false,
"id": "process--89e07838-c874-4d82-bde9-cbcc06986d22",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--07d57dfa-26cc-4688-9bfc-1e333da5f681",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--59f9da93-ee73-41b8-b4b5-12e3f02b0f07",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "wmiapsrv.exe",
"defanged": false,
"id": "process--59f9da93-ee73-41b8-b4b5-12e3f02b0f07",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--fc5c327a-8f70-48f2-91fe-b7bee49439a0",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--3202b8a6-147c-436c-83c6-67eb4393f048",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "rundll32.exe",
"defanged": false,
"id": "process--3202b8a6-147c-436c-83c6-67eb4393f048",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--7b0cc3a7-323a-4640-91e2-6f54251cba8c",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--1af74c21-fa15-43fb-8171-7e42142f7a27",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "regsvr32.exe",
"defanged": false,
"id": "process--1af74c21-fa15-43fb-8171-7e42142f7a27",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--0b423505-d81a-4fc7-8405-de675ba9e19f",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--3e13af35-6d33-484a-bcc9-01a3234f00d9",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "hh.exe",
"defanged": false,
"id": "process--3e13af35-6d33-484a-bcc9-01a3234f00d9",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--d29d20d4-7b66-4ff3-9c4e-44dc54587030",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--4ace2b66-700f-4027-9cc0-c00373e51d71",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "cmd.exe",
"defanged": false,
"id": "process--4ace2b66-700f-4027-9cc0-c00373e51d71",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--74e965b2-5258-4bf8-b0dc-1c652464aefe",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--52c9d1e5-93cc-4774-a2bd-030db5cb21c9",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "pwsh.exe",
"defanged": false,
"id": "process--52c9d1e5-93cc-4774-a2bd-030db5cb21c9",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--19281fe6-d60f-47cb-9bb0-75514d04da67",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--47e67787-19f4-4367-aa07-8dd43ac6dd12",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "powershell.exe",
"defanged": false,
"id": "process--47e67787-19f4-4367-aa07-8dd43ac6dd12",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--2766de70-cf41-409b-8463-1d728182ed7d",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--a3da4400-f4ac-4713-86e2-173e2e89e6a2",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "mshta.exe",
"defanged": false,
"id": "process--a3da4400-f4ac-4713-86e2-173e2e89e6a2",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--48e1ff3f-12e9-4673-8982-ac51a85771a3",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--3334382e-12ef-49c0-8757-55e41d855c04",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "certutil.exe",
"defanged": false,
"id": "process--3334382e-12ef-49c0-8757-55e41d855c04",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--18ba6a51-6a2f-483f-965b-4d388595c4a2",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--cb7966a0-1edb-4d8a-9a68-63346dc70357",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "bitsadmin.exe",
"defanged": false,
"id": "process--cb7966a0-1edb-4d8a-9a68-63346dc70357",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--9f15f357-6f9d-4c63-9e28-0422830eeba4",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--b5d8e4b4-b435-41a6-8002-5074deabedd6",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "cscript.exe",
"defanged": false,
"id": "process--b5d8e4b4-b435-41a6-8002-5074deabedd6",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--4681bcf1-bb88-4a84-a529-d594dfeae8bd",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--3c05583b-5aa7-470c-bec1-844afc5dcf0d",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "wscript.exe",
"defanged": false,
"id": "process--3c05583b-5aa7-470c-bec1-844afc5dcf0d",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--eadf6237-6b12-4295-aa4f-8ffb2a3ec5df",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--e07560aa-94f2-4608-9020-180fd6e25778",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "jsc.exe",
"defanged": false,
"id": "process--e07560aa-94f2-4608-9020-180fd6e25778",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--52306f66-89d1-4da3-90e4-24701845e7f4",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--8a552e91-c139-47e2-86cd-8f0c80f1e1ea",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "vssadmin.exe",
"defanged": false,
"id": "process--8a552e91-c139-47e2-86cd-8f0c80f1e1ea",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--f56cca0c-ba6e-42a5-913d-a307a382852f",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--4dcba7b3-4d73-4c2f-8bd4-c5e2f5e6395f",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "curl.exe",
"defanged": false,
"id": "process--4dcba7b3-4d73-4c2f-8bd4-c5e2f5e6395f",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--8fec14ad-7bfa-46ec-9023-f8d231f6f6a6",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--a795c0e0-9bbc-4b57-8466-8e1e3716d99b",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "wget.exe",
"defanged": false,
"id": "process--a795c0e0-9bbc-4b57-8466-8e1e3716d99b",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--c677dff2-f205-4bf4-acf2-7a2a1f6c0d48",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--b53a5f37-3432-450d-a745-4583e73251bc",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "sc.exe",
"defanged": false,
"id": "process--b53a5f37-3432-450d-a745-4583e73251bc",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--ed7f4008-d3e0-4f54-8839-9b946af749d9",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--2fa12f0a-45bc-4b30-bc73-6029740d33d7",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "reg.exe",
"defanged": false,
"id": "process--2fa12f0a-45bc-4b30-bc73-6029740d33d7",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--bc1ace2a-4bb8-4237-906e-6587db052011",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--1d86b104-49b9-4b4c-a2b0-48f2cedad58c",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "schtasks.exe",
"defanged": false,
"id": "process--1d86b104-49b9-4b4c-a2b0-48f2cedad58c",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--e95db3d7-4063-4438-a189-483886591792",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--f2a762a1-8f9a-42f8-bd79-a1c8e5a445a3",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "msxsl.exe",
"defanged": false,
"id": "process--f2a762a1-8f9a-42f8-bd79-a1c8e5a445a3",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--e257c225-258f-4f3f-8a94-8cc421cde9c4",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--4f7b0ca9-1472-4b1d-bf59-e7b54fd26dcb",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "msbuild.exe",
"defanged": false,
"id": "process--4f7b0ca9-1472-4b1d-bf59-e7b54fd26dcb",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--b7dc3de3-ea83-460a-b7a9-c16ae984625e",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--5c073d19-68d1-4c7d-bd85-e8a82716d75b",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "regasm.exe",
"defanged": false,
"id": "process--5c073d19-68d1-4c7d-bd85-e8a82716d75b",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--6f0b42ed-df4f-4bb0-8276-9e45e34afe42",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--c080b039-3c3e-444d-9418-1359b011478c",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "regsvcs.exe",
"defanged": false,
"id": "process--c080b039-3c3e-444d-9418-1359b011478c",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--10bfcde6-1759-4646-9731-bdfaa99cad4e",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--3de3bf13-90d2-4c27-8ea7-3f587795ee5d",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "wmic.exe",
"defanged": false,
"id": "process--3de3bf13-90d2-4c27-8ea7-3f587795ee5d",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--f6caf82e-6fbe-4b06-ab0a-d723d757f593",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--89b0de66-d21a-4e00-b26e-c42fad597081",
"spec_version": "2.1",
"target_ref": "indicator--0a325e96-33b3-4e3c-8c0d-3933748606e3",
"type": "relationship"
},
{
"command_line": "msiexec.exe",
"defanged": false,
"id": "process--89b0de66-d21a-4e00-b26e-c42fad597081",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This rule detects when an unusual interactive process is launched inside a container. Interactive processes are typically run in the foreground and require user input, which is unusual behavior for a containerized environment. This activity could indicate an attacker attempting to gain access to the container environment or perform malicious actions.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_unusual_interactive_process_inside_container.toml"
}
],
"id": "indicator--1e949a7b-f0f6-4f25-9e34-16e45c41e3fd",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Unusual Interactive Process Launched in a Container",
"pattern": "event.category:process and host.os.type:linux and event.type:start and event.action:exec and\nprocess.entry_leader.entry_meta.type:container and process.interactive:true\n",
"pattern_type": "kuery",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2022-07-13T14:22:21.000Z"
},
{
"contact_information": "https://github.com/elastic/",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "elastic",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This rule detects the use of the built-in Linux DebugFS utility from inside a container. DebugFS is a special file system debugging utility that supports reading and writing directly from a hard drive device. When launched inside a privileged container, an attacker can access sensitive host-level files, which could lead to privilege escalation and container escapes to the host machine.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml"
}
],
"id": "indicator--3c1cab25-7103-45ae-91ee-bc70e1440855",
"indicator_types": [
"malicious-activity",
"anomalous-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "File System Debugger Launched Inside a Container",
"pattern": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.entry_leader.entry_meta.type == \"container\" and process.name == \"debugfs\" and process.command_line like~ \"/dev/sd*\" and not process.args == \"-R\"",
"pattern_type": "eql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2024-01-05T02:24:54.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--51d1db8d-e2c2-47b8-81fa-35d8adaa9254",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--b4868c6c-4bfc-4f37-9a6b-959cb61727b3",
"spec_version": "2.1",
"target_ref": "indicator--3c1cab25-7103-45ae-91ee-bc70e1440855",
"type": "relationship"
},
{
"command_line": "debugfs",
"defanged": false,
"id": "process--b4868c6c-4bfc-4f37-9a6b-959cb61727b3",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This rule detects when chmod or chown are used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml"
}
],
"id": "indicator--45dbc985-a0c4-46f0-b17a-8535b9d97740",
"indicator_types": [
"malicious-activity",
"threat-detection"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "File Made Executable via Chmod Inside A Container",
"pattern": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.entry_leader.entry_meta.type == \"container\" and process.name in (\"chmod\", \"chown\") and\nprocess.args in (\"4755\", \"755\", \"000\", \"777\", \"444\", \"-x\", \"+x\")",
"pattern_type": "eql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2023-05-16T19:15:49.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--918f187d-053c-463d-89f7-3b6e0876c769",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--f2cea6cc-5580-4178-84ab-d2ef9bd65934",
"spec_version": "2.1",
"target_ref": "indicator--45dbc985-a0c4-46f0-b17a-8535b9d97740",
"type": "relationship"
},
{
"command_line": "chmod",
"defanged": false,
"id": "process--f2cea6cc-5580-4178-84ab-d2ef9bd65934",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--045b3f36-2dc4-4050-80f2-53fafa5b9c25",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--e0a74f27-61d7-4e7b-8fb0-8b29b316873a",
"spec_version": "2.1",
"target_ref": "indicator--45dbc985-a0c4-46f0-b17a-8535b9d97740",
"type": "relationship"
},
{
"command_line": "chown",
"defanged": false,
"id": "process--e0a74f27-61d7-4e7b-8fb0-8b29b316873a",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This rule detects when a container management binary is run from inside a container. These binaries are critical components of containerized environments, and their unauthorized execution might indicate a compromise or misconfiguration. The rule monitors specific container management utilities to detect potentially suspicious usage.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_container_management_binary_launched_inside_container.toml"
}
],
"id": "indicator--ec3113f5-442e-41c7-9711-8f1b1c8c7638",
"indicator_types": [
"malicious-activity",
"anomalous-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Container Management Utility Run Inside A Container",
"pattern": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.entry_leader.entry_meta.type == \"container\" and process.name in (\"dockerd\", \"docker\", \"kubelet\", \"kube-proxy\", \"kubectl\", \"containerd\", \"runc\", \"systemd\", \"crictl\")",
"pattern_type": "eql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2023-05-16T18:41:27.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--e36a87be-d7ee-4f27-ad4f-156c602aa555",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--4111ce02-f7bb-48cb-b6c4-91fa2e28accc",
"spec_version": "2.1",
"target_ref": "indicator--ec3113f5-442e-41c7-9711-8f1b1c8c7638",
"type": "relationship"
},
{
"command_line": "dockerd",
"defanged": false,
"id": "process--4111ce02-f7bb-48cb-b6c4-91fa2e28accc",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--d241f588-61c0-4ef6-8189-955b4f498557",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--2850885e-e776-44b2-853f-288744ab58b7",
"spec_version": "2.1",
"target_ref": "indicator--ec3113f5-442e-41c7-9711-8f1b1c8c7638",
"type": "relationship"
},
{
"command_line": "docker",
"defanged": false,
"id": "process--2850885e-e776-44b2-853f-288744ab58b7",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--ab258bad-d1ff-4b29-a675-7543d5257a1f",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--3b417167-bd67-44e8-959c-3c1a889ace35",
"spec_version": "2.1",
"target_ref": "indicator--ec3113f5-442e-41c7-9711-8f1b1c8c7638",
"type": "relationship"
},
{
"command_line": "kubelet",
"defanged": false,
"id": "process--3b417167-bd67-44e8-959c-3c1a889ace35",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--53738cfd-fa98-49c3-b41a-981f470c27b7",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--7951e4d6-af85-41a2-bfa3-1d7abdae8d92",
"spec_version": "2.1",
"target_ref": "indicator--ec3113f5-442e-41c7-9711-8f1b1c8c7638",
"type": "relationship"
},
{
"command_line": "kube-proxy",
"defanged": false,
"id": "process--7951e4d6-af85-41a2-bfa3-1d7abdae8d92",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--833d48b2-fb7a-4ac2-aab6-77cd4bc5c894",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--2d3e26ed-c0c4-4309-8b16-63f932f6bc4d",
"spec_version": "2.1",
"target_ref": "indicator--ec3113f5-442e-41c7-9711-8f1b1c8c7638",
"type": "relationship"
},
{
"command_line": "kubectl",
"defanged": false,
"id": "process--2d3e26ed-c0c4-4309-8b16-63f932f6bc4d",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--7b4754fe-d731-46aa-97da-076fae4a64a8",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--6116b207-2049-4593-a78e-71d18a10f51d",
"spec_version": "2.1",
"target_ref": "indicator--ec3113f5-442e-41c7-9711-8f1b1c8c7638",
"type": "relationship"
},
{
"command_line": "containerd",
"defanged": false,
"id": "process--6116b207-2049-4593-a78e-71d18a10f51d",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--31bb2ba4-bfe8-4844-af80-ae664858d6f4",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--30b9b235-087b-42ce-9a3b-6ffce382df79",
"spec_version": "2.1",
"target_ref": "indicator--ec3113f5-442e-41c7-9711-8f1b1c8c7638",
"type": "relationship"
},
{
"command_line": "runc",
"defanged": false,
"id": "process--30b9b235-087b-42ce-9a3b-6ffce382df79",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--8db50942-00c5-4dad-b5a3-538b71555a72",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--d297dd8b-7818-411e-9945-8dbf01a47dcb",
"spec_version": "2.1",
"target_ref": "indicator--ec3113f5-442e-41c7-9711-8f1b1c8c7638",
"type": "relationship"
},
{
"command_line": "systemd",
"defanged": false,
"id": "process--d297dd8b-7818-411e-9945-8dbf01a47dcb",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--630ee412-3462-4573-b1a1-89c8e08260a0",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--3e7ba1e2-0a23-46a9-9f88-9235c23e18c9",
"spec_version": "2.1",
"target_ref": "indicator--ec3113f5-442e-41c7-9711-8f1b1c8c7638",
"type": "relationship"
},
{
"command_line": "crictl",
"defanged": false,
"id": "process--3e7ba1e2-0a23-46a9-9f88-9235c23e18c9",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This rule detects the use of the mount utility from inside a container, specifically when it is executed within a privileged container. Attackers can exploit this to access sensitive host files, potentially leading to privilege escalation or container escapes. The detection rule identifies such misuse by monitoring the execution of `mount` in containers, flagging potential security threats for further investigation.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_mount_launched_inside_container.toml"
}
],
"id": "indicator--64353ead-cf19-4d38-bd70-e0fe711dba00",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Mount Launched Inside a Container",
"pattern": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.entry_leader.entry_meta.type == \"container\" and process.name == \"mount\"",
"pattern_type": "eql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2024-01-05T02:24:54.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--45b0a2b6-a989-4634-b9cd-9f76b6857cd2",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--06dd33e5-d423-4f66-a9bc-accb0344a185",
"spec_version": "2.1",
"target_ref": "indicator--64353ead-cf19-4d38-bd70-e0fe711dba00",
"type": "relationship"
},
{
"command_line": "mount",
"defanged": false,
"id": "process--06dd33e5-d423-4f66-a9bc-accb0344a185",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could further compromise the container environment or facilitate a container breakout to the underlying cloud environment. The rule specifically monitors process names and command line arguments to flag attempts to locate AWS credentials.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_aws_creds_search_inside_container.toml"
}
],
"id": "indicator--dcef9d67-f69b-488b-9079-59c1695c92d4",
"indicator_types": [
"malicious-activity",
"anomalous-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "AWS Credentials Searched For Inside A Container",
"pattern": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.entry_leader.entry_meta.type == \"container\" and\nprocess.name in (\"grep\", \"egrep\", \"fgrep\", \"find\", \"locate\", \"mlocate\") and\nprocess.command_line like~ (\n \"*aws_access_key_id*\", \"*aws_secret_access_key*\", \"*aws_session_token*\", \"*accesskeyid*\", \"*secretaccesskey*\",\n \"*access_key*\", \"*.aws/credentials*\"\n)",
"pattern_type": "eql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2023-05-16T19:29:54.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--434a786a-9c72-441f-843b-e0ec652a99f1",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--2b81e601-36be-403e-8e26-6e3b548413c6",
"spec_version": "2.1",
"target_ref": "indicator--dcef9d67-f69b-488b-9079-59c1695c92d4",
"type": "relationship"
},
{
"command_line": "grep",
"defanged": false,
"id": "process--2b81e601-36be-403e-8e26-6e3b548413c6",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--2ee6f400-db71-420c-8390-6b103f6ba57e",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--1772dab5-963c-4d11-8973-26611b92fa3f",
"spec_version": "2.1",
"target_ref": "indicator--dcef9d67-f69b-488b-9079-59c1695c92d4",
"type": "relationship"
},
{
"command_line": "egrep",
"defanged": false,
"id": "process--1772dab5-963c-4d11-8973-26611b92fa3f",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--9a69bedd-9265-41e3-a007-38bf3cc32ab3",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--ba98f053-57bd-4031-b363-9a3c5f73350c",
"spec_version": "2.1",
"target_ref": "indicator--dcef9d67-f69b-488b-9079-59c1695c92d4",
"type": "relationship"
},
{
"command_line": "fgrep",
"defanged": false,
"id": "process--ba98f053-57bd-4031-b363-9a3c5f73350c",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--c773d6e5-d33c-4185-af9e-b942f7ca958c",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--b0cb6a2a-b9e3-4260-9410-5a911fbe6f87",
"spec_version": "2.1",
"target_ref": "indicator--dcef9d67-f69b-488b-9079-59c1695c92d4",
"type": "relationship"
},
{
"command_line": "find",
"defanged": false,
"id": "process--b0cb6a2a-b9e3-4260-9410-5a911fbe6f87",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--134617c5-33c9-4521-b278-0e2ffa2a99c5",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--6553e287-dd65-46b4-bb63-af6609d7f2d7",
"spec_version": "2.1",
"target_ref": "indicator--dcef9d67-f69b-488b-9079-59c1695c92d4",
"type": "relationship"
},
{
"command_line": "locate",
"defanged": false,
"id": "process--6553e287-dd65-46b4-bb63-af6609d7f2d7",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--9c792de6-9f64-4e90-aa7f-eda26d42e850",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--df94844d-cd53-4867-89c2-32b807b06808",
"spec_version": "2.1",
"target_ref": "indicator--dcef9d67-f69b-488b-9079-59c1695c92d4",
"type": "relationship"
},
{
"command_line": "mlocate",
"defanged": false,
"id": "process--df94844d-cd53-4867-89c2-32b807b06808",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This rule detects an SSH or SSHD process executed from inside a container, including both client ssh binary and server ssh daemon process. SSH usage within a container is unconventional and should be monitored as attackers could move laterally to other containers or the host. Such activity may also serve as a persistence mechanism.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/lateral_movement_ssh_process_launched_inside_container.toml"
}
],
"id": "indicator--1b0dbf61-1525-447b-a2d7-7bfc89f4978f",
"indicator_types": [
"anomalous-activity",
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "SSH Process Launched From Inside A Container",
"pattern": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.entry_leader.entry_meta.type == \"container\" and process.name in (\"sshd\", \"ssh\", \"autossh\")",
"pattern_type": "eql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2023-05-16T20:56:52.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--4334bab0-8541-449b-a175-4d8914ffbd75",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--711798f5-852c-4eac-9a73-bc08f88777eb",
"spec_version": "2.1",
"target_ref": "indicator--1b0dbf61-1525-447b-a2d7-7bfc89f4978f",
"type": "relationship"
},
{
"command_line": "sshd",
"defanged": false,
"id": "process--711798f5-852c-4eac-9a73-bc08f88777eb",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--d19fc328-e8fa-4cef-9f9c-2c9b856c9adb",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--86fc9e88-d389-440f-a374-aaa7d468429f",
"spec_version": "2.1",
"target_ref": "indicator--1b0dbf61-1525-447b-a2d7-7bfc89f4978f",
"type": "relationship"
},
{
"command_line": "ssh",
"defanged": false,
"id": "process--86fc9e88-d389-440f-a374-aaa7d468429f",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--e53d2f34-0124-4824-ac01-6786b3d0b2b6",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--88057400-32b8-4bf8-bd99-46f6573bc9e2",
"spec_version": "2.1",
"target_ref": "indicator--1b0dbf61-1525-447b-a2d7-7bfc89f4978f",
"type": "relationship"
},
{
"command_line": "autossh",
"defanged": false,
"id": "process--88057400-32b8-4bf8-bd99-46f6573bc9e2",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml"
}
],
"id": "indicator--f7911aa1-871a-4c81-a192-e222f88f1de3",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Sensitive Keys Or Passwords Searched For Inside A Container",
"pattern": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.entry_leader.entry_meta.type == \"container\" and\nprocess.name in (\"grep\", \"egrep\", \"fgrep\", \"find\", \"locate\", \"mlocate\") and\nprocess.command_line like~ (\n \"*BEGIN PRIVATE*\", \"*BEGIN OPENSSH PRIVATE*\", \"*BEGIN RSA PRIVATE*\", \"*BEGIN DSA PRIVATE*\", \"*BEGIN EC PRIVATE*\",\n \"*pass*\", \"*ssh*\", \"*user*\", \"*id_rsa*\", \"*id_dsa*\"\n)",
"pattern_type": "eql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2023-05-16T19:29:54.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--db287dae-37b9-4097-a16d-83a8a1a3cb8e",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--5a6c9962-7c1d-42f6-b49b-b3ef1e11bf59",
"spec_version": "2.1",
"target_ref": "indicator--f7911aa1-871a-4c81-a192-e222f88f1de3",
"type": "relationship"
},
{
"command_line": "grep",
"defanged": false,
"id": "process--5a6c9962-7c1d-42f6-b49b-b3ef1e11bf59",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--3f346560-4e6c-410a-be2d-2477b633ec36",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--77bb1562-fbdf-4f6c-94d5-6959c9b7d6f2",
"spec_version": "2.1",
"target_ref": "indicator--f7911aa1-871a-4c81-a192-e222f88f1de3",
"type": "relationship"
},
{
"command_line": "egrep",
"defanged": false,
"id": "process--77bb1562-fbdf-4f6c-94d5-6959c9b7d6f2",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--27b5ebc2-b6d1-4449-b1a9-3f60bc5b7238",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--1ffc753b-27ed-469e-9b06-0c232268ded3",
"spec_version": "2.1",
"target_ref": "indicator--f7911aa1-871a-4c81-a192-e222f88f1de3",
"type": "relationship"
},
{
"command_line": "fgrep",
"defanged": false,
"id": "process--1ffc753b-27ed-469e-9b06-0c232268ded3",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--7d9ed604-1a34-4065-ac6d-b86999792a33",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--45c076e3-7b56-4758-858c-e3e6e0c3bae9",
"spec_version": "2.1",
"target_ref": "indicator--f7911aa1-871a-4c81-a192-e222f88f1de3",
"type": "relationship"
},
{
"command_line": "find",
"defanged": false,
"id": "process--45c076e3-7b56-4758-858c-e3e6e0c3bae9",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--ab26f2b6-6e8d-4fe9-8126-9372dc20a6eb",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--f40fc64a-011e-4c88-8035-f969eeb04cd1",
"spec_version": "2.1",
"target_ref": "indicator--f7911aa1-871a-4c81-a192-e222f88f1de3",
"type": "relationship"
},
{
"command_line": "locate",
"defanged": false,
"id": "process--f40fc64a-011e-4c88-8035-f969eeb04cd1",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--f64b99c6-9a71-464a-b572-c7b662a11f3f",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--2298d3ca-131e-4741-8d41-eacf2e13fa49",
"spec_version": "2.1",
"target_ref": "indicator--f7911aa1-871a-4c81-a192-e222f88f1de3",
"type": "relationship"
},
{
"command_line": "mlocate",
"defanged": false,
"id": "process--2298d3ca-131e-4741-8d41-eacf2e13fa49",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container. This rule detects suspicious compression activities by monitoring for specific utilities and file paths, flagging potential unauthorized data collection attempts within a Linux container environment.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml"
}
],
"id": "indicator--0f3a4623-7843-4dc6-8577-02fad525aefc",
"indicator_types": [
"anomalous-activity",
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Sensitive Files Compression Inside A Container",
"pattern": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.entry_leader.entry_meta.type == \"container\" and process.name in (\"zip\", \"tar\", \"gzip\", \"hdiutil\", \"7z\") and process.command_line like~ ( \"*/root/.ssh/*\", \"*/home/*/.ssh/*\", \"*/root/.bash_history*\", \"*/etc/hosts*\", \"*/root/.aws/*\", \"*/home/*/.aws/*\", \"*/root/.docker/*\", \"*/home/*/.docker/*\", \"*/etc/group*\", \"*/etc/passwd*\", \"*/etc/shadow*\", \"*/etc/gshadow*\" )",
"pattern_type": "eql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2023-05-16T19:49:42.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--c5dc1e27-1681-4627-9bce-7740ae754b7a",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--adee824e-05a8-4f04-9597-5c86cae1c819",
"spec_version": "2.1",
"target_ref": "indicator--0f3a4623-7843-4dc6-8577-02fad525aefc",
"type": "relationship"
},
{
"command_line": "zip",
"defanged": false,
"id": "process--adee824e-05a8-4f04-9597-5c86cae1c819",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--e9267a08-a654-462b-94eb-a85fa7845a3b",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--16232a49-8d21-49c9-b505-0dafe307f8a6",
"spec_version": "2.1",
"target_ref": "indicator--0f3a4623-7843-4dc6-8577-02fad525aefc",
"type": "relationship"
},
{
"command_line": "tar",
"defanged": false,
"id": "process--16232a49-8d21-49c9-b505-0dafe307f8a6",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--4963aadf-a1f5-47c7-8752-d0859127a5db",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--f39008e4-ed9c-443e-8b1e-906183e282ed",
"spec_version": "2.1",
"target_ref": "indicator--0f3a4623-7843-4dc6-8577-02fad525aefc",
"type": "relationship"
},
{
"command_line": "gzip",
"defanged": false,
"id": "process--f39008e4-ed9c-443e-8b1e-906183e282ed",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--2b696fe9-d008-4e0d-9df0-b66573205324",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--fc0b18f0-68a0-4714-8bc9-04e9f2f3f00f",
"spec_version": "2.1",
"target_ref": "indicator--0f3a4623-7843-4dc6-8577-02fad525aefc",
"type": "relationship"
},
{
"command_line": "hdiutil",
"defanged": false,
"id": "process--fc0b18f0-68a0-4714-8bc9-04e9f2f3f00f",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--32409a4f-6b2d-44e3-a07f-6227fcd18e87",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--50b17c39-f9b2-4a42-a95c-ae51fc313c77",
"spec_version": "2.1",
"target_ref": "indicator--0f3a4623-7843-4dc6-8577-02fad525aefc",
"type": "relationship"
},
{
"command_line": "7z",
"defanged": false,
"id": "process--50b17c39-f9b2-4a42-a95c-ae51fc313c77",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "The detection rule identifies commonly abused network utilities running inside a container for potential malicious activities such as reconnaissance or lateral movement. It monitors the execution of tools like nc, nmap, and tcpdump that may be used for network monitoring or exploitation. The rule aims to flag unusual tool executions for further analysis within containers running on Linux hosts.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml"
}
],
"id": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"indicator_types": [
"anomalous-activity",
"reconnaissance",
"command-and-control"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Suspicious Network Tool Launched Inside A Container",
"pattern": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.entry_leader.entry_meta.type == \"container\" and process.name in (\n \"nc.traditional\", \"nc\", \"ncat\", \"netcat\", \"nmap\", \"dig\", \"nslookup\", \"tcpdump\", \"tshark\", \"ngrep\", \"telnet\",\n \"mitmproxy\", \"socat\", \"zmap\", \"masscan\", \"zgrab\"\n)",
"pattern_type": "eql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2023-05-16T19:21:42.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--78e7a1bc-9a66-44cb-ad68-a0d682b7a2ba",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--8e21fc61-f876-483e-9365-f05a60efc658",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "nc.traditional",
"defanged": false,
"id": "process--8e21fc61-f876-483e-9365-f05a60efc658",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--128af08e-d7f8-42b6-b350-7f70d13fc21c",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--8f0a0f79-f4f4-425b-ad76-8f68219dbfb6",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "nc",
"defanged": false,
"id": "process--8f0a0f79-f4f4-425b-ad76-8f68219dbfb6",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--69a2371d-e39f-438b-962f-3347fe616ea1",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--b84007b5-d2ab-4d72-8bea-e034eb4a0ec6",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "ncat",
"defanged": false,
"id": "process--b84007b5-d2ab-4d72-8bea-e034eb4a0ec6",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--7bfe6a5d-381f-4068-bbfc-402241f1ca63",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--ecc61804-052c-4cb8-88c3-57105d0cd347",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "netcat",
"defanged": false,
"id": "process--ecc61804-052c-4cb8-88c3-57105d0cd347",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--85674efe-81e5-45d6-ac3e-afe93055dc4a",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--1b71dabc-99a8-4535-b676-eb80da4de2b0",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "nmap",
"defanged": false,
"id": "process--1b71dabc-99a8-4535-b676-eb80da4de2b0",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--cdec7be0-de42-4833-9314-ae1a8308179e",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--16a6eaa6-1c9c-419f-93fe-98e847750a1e",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "dig",
"defanged": false,
"id": "process--16a6eaa6-1c9c-419f-93fe-98e847750a1e",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--3d2158f5-17ab-4640-a611-53e3feb6e304",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--3b2e53a5-cff5-4071-ab17-900d2764ef5d",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "nslookup",
"defanged": false,
"id": "process--3b2e53a5-cff5-4071-ab17-900d2764ef5d",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--78b94a98-ea95-47e9-aec6-438566ff2d96",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--2eda1ae8-4314-4a9d-a663-bf9e9ae9abea",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "tcpdump",
"defanged": false,
"id": "process--2eda1ae8-4314-4a9d-a663-bf9e9ae9abea",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--debda7ea-938b-4dc7-9b9e-b5e01bbd103e",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--6fb7afb3-98dc-4738-957b-8a56c5b29e2b",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "tshark",
"defanged": false,
"id": "process--6fb7afb3-98dc-4738-957b-8a56c5b29e2b",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--fa0e22b7-b50a-4662-8ad8-4d0f823e6065",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--7c10a89f-f0c5-4173-b29b-ca9048903e7d",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "ngrep",
"defanged": false,
"id": "process--7c10a89f-f0c5-4173-b29b-ca9048903e7d",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--6026bd07-6081-4384-a505-e41589c9d390",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--5fd63c13-ce1f-4c20-8d61-a4790b568e42",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "telnet",
"defanged": false,
"id": "process--5fd63c13-ce1f-4c20-8d61-a4790b568e42",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--f9815523-efee-4b46-9545-4c05d775dc8c",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--759e5695-4877-4e04-b530-f7c3d36e0d9c",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "mitmproxy",
"defanged": false,
"id": "process--759e5695-4877-4e04-b530-f7c3d36e0d9c",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--a3b26f82-47d1-45b1-b450-1a7f3ffe057f",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--c1bdde76-b607-4b5e-a977-21e2281963b5",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "socat",
"defanged": false,
"id": "process--c1bdde76-b607-4b5e-a977-21e2281963b5",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--777a380b-f9dc-4bd1-ad49-2bad3710d088",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--2d6d5f96-0a6f-4ea4-b894-5e930774be09",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "zmap",
"defanged": false,
"id": "process--2d6d5f96-0a6f-4ea4-b894-5e930774be09",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--c1c7d7c4-9597-4200-a6c8-f618a0557caa",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--2d2dc3b3-1bc5-4465-8656-ce7b617361d3",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "masscan",
"defanged": false,
"id": "process--2d2dc3b3-1bc5-4465-8656-ce7b617361d3",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--092fe9ac-2952-4dcf-a893-533423206ddc",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "process--7c304038-4074-4b90-95c5-e169d71d5e24",
"spec_version": "2.1",
"target_ref": "indicator--70ceb321-3f40-4127-80fa-6ce33f585320",
"type": "relationship"
},
{
"command_line": "zgrab",
"defanged": false,
"id": "process--7c304038-4074-4b90-95c5-e169d71d5e24",
"is_hidden": false,
"spec_version": "2.1",
"type": "process"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--f981f2ff-37ec-451e-b147-65952f10610f",
"description": "Yara rule that detects the presence of the BackConnect backdoor, which is a type of malware. It uses several distinct patterns to identify network communication, system information gathering, DNS server retrieval, and network interface listing behaviors associated with this backdoor malware.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/reversinglabs/reversinglabs-yara-rules/blob/develop/yara/backdoor/Win64.Backdoor.BackConnect.yara"
}
],
"id": "indicator--20f22447-f1c3-4641-88c9-94130ce82193",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Win64_Backdoor_BackConnect",
"pattern": "rule Win64_Backdoor_BackConnect : tc_detection malicious\n{\n meta:\n\n author = \"ReversingLabs\"\n\n source = \"ReversingLabs\"\n status = \"RELEASED\"\n sharing = \"TLP:WHITE\"\n category = \"MALWARE\"\n malware = \"BACKCONNECT\"\n description = \"Yara rule that detects BackConnect backdoor.\"\n\n tc_detection_type = \"Backdoor\"\n tc_detection_name = \"BackConnect\"\n tc_detection_factor = 5\n\n strings:\n\n $network_communication_p1 = {\n 48 89 5C 24 ?? 4C 89 44 24 ?? 48 89 4C 24 ?? 55 56 57 41 54 41 55 41 56 41 57 48 83\n EC ?? 45 33 F6 4C 8B EA 45 8B FE 41 8B EE 41 8B FE 48 8B D9 48 8B 05 ?? ?? ?? ?? 44\n 3B B8 ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? 48 8B 88 ?? ?? ?? ?? 44 39 74 39 ?? 0F 84 ?? ??\n ?? ?? 48 8B 4C 39 ?? 41 FF C7 48 83 F9 ?? 0F 84 ?? ?? ?? ?? 49 8B D0 FF 15 ?? ?? ??\n ?? 85 C0 48 8B 05 ?? ?? ?? ?? 48 8B 88 ?? ?? ?? ?? 74 ?? 44 89 74 24 ?? 48 8D 84 24\n ?? ?? ?? ?? 44 89 B4 24 ?? ?? ?? ?? 4C 8D 4C 24 ?? 48 8B 4C 39 ?? BA ?? ?? ?? ?? 41\n B8 ?? ?? ?? ?? 48 89 44 24 ?? FF 15 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 41 B0 ?? 48 8B\n 81 ?? ?? ?? ?? 44 88 74 07 ?? 8B C5 48 6B D0 ?? 48 03 91 ?? ?? ?? ?? E8 ?? ?? ?? ??\n E9 ?? ?? ?? ?? 48 8B 4C 39 ?? 49 8B D5 FF 15 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 85 C0\n 74 ?? 4C 8B 81 ?? ?? ?? ?? 42 80 7C 07 ?? ?? 75 ?? 8B C5 48 6B D0 ?? 49 03 D0 E8 ??\n ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 8B 89 ?? ?? ?? ?? 49 8B D5 48 8B 4C 39 ?? FF 15 ??\n ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 8B D3 44 8B E0 48 8B 89 ?? ?? ?? ?? 48 8B 4C 39 ??\n FF 15 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 44 8B F0 48 8B 9E ?? ?? ?? ?? 48 03 DF 83 7B\n ?? ?? 0F 84 ?? ?? ?? ?? 33 C9 E8 ?? ?? ?? ?? 80 7B ?? ?? 75 ?? 48 2B 43 ?? 48 83 F8\n ?? 7E ?? 48 83 4B ?? ?? 45 33 F6 44 89 73 ?? 41 B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 45 85\n }\n\n $network_communication_p2 = {\n F6 74 ?? 48 8B 15 ?? ?? ?? ?? 45 33 C9 48 8B 4B ?? 41 B8 ?? ?? ?? ?? FF 15 ?? ?? ??\n ?? 45 33 F6 85 C0 74 ?? 83 F8 ?? 75 ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? 3D ??\n ?? ?? ?? 75 ?? 41 8B C6 EB ?? 85 C0 78 ?? 01 43 ?? BA ?? ?? ?? ?? 4C 8B 0D ?? ?? ??\n ?? 48 8B CE 44 8B 43 ?? 89 44 24 ?? E8 ?? ?? ?? ?? EB ?? 48 8B 4B ?? FF 15 ?? ?? ??\n ?? 48 83 4B ?? ?? E9 ?? ?? ?? ?? 45 33 F6 45 85 E4 0F 84 ?? ?? ?? ?? 44 8B 43 ?? 45\n 85 C0 0F 84 ?? ?? ?? ?? 48 8B 53 ?? 45 33 C9 48 8B 4B ?? FF 15 ?? ?? ?? ?? 83 F8 ??\n 75 ?? FF 15 ?? ?? ?? ?? 48 8B 4B ?? FF 15 ?? ?? ?? ?? 48 83 4B ?? ?? 41 B8 ?? ?? ??\n ?? 48 8B D3 44 89 73 ?? 48 8B CE E8 ?? ?? ?? ?? EB ?? 48 8B 4B ?? 29 43 ?? 44 8B 43\n ?? 01 43 ?? 48 63 D0 48 03 D1 E8 ?? ?? ?? ?? 8A 4B ?? F6 C1 ?? 74 ?? 8B 43 ?? C1 E8\n ?? 39 43 ?? 77 ?? 44 8B 43 ?? 80 E1 ?? 45 33 C9 88 4B ?? 48 8B CE 44 89 74 24 ?? 41\n 8D 51 ?? E8 ?? ?? ?? ?? F6 43 ?? ?? 74 ?? 44 39 73 ?? 75 ?? 45 33 C0 48 8B D3 48 8B\n CE E8 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 4C 8B 84 24 ?? ?? ?? ?? FF C5 48 83 C7 ??\n 81 FD ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 33 C0 48 8B 9C 24 ?? ?? ?? ?? 48 83 C4 ?? 41 5F\n 41 5E 41 5D 41 5C 5F 5E 5D C3\n }\n\n $get_system_information = {\n 48 89 5C 24 ?? 48 89 74 24 ?? 48 89 7C 24 ?? 55 41 54 41 55 41 56 41 57 48 8B EC 48\n 81 EC ?? ?? ?? ?? 48 8B F9 48 8D 4D ?? FF 15 ?? ?? ?? ?? 4C 8B 75 ?? 48 81 FF ?? ??\n ?? ?? 76 ?? 48 8D 87 ?? ?? ?? ?? 4C 3B F0 4C 0F 42 F0 48 8B 1D ?? ?? ?? ?? 4C 8D A7\n ?? ?? ?? ?? 4C 39 65 ?? 4C 0F 46 65 ?? 49 81 EC ?? ?? ?? ?? 33 F6 48 85 DB 74 ?? 49\n 3B DE 72 ?? 49 3B DC 73 ?? 48 39 73 ?? 0F 85 ?? ?? ?? ?? 48 8B 1B EB ?? 4C 8B FF 49\n 3B FE 72 ?? 44 8B 6D ?? 33 D2 49 8B C7 49 F7 F5 4C 2B FA 4D 2B FD 4D 3B FE 72 ?? 41\n B8 ?? ?? ?? ?? 48 8D 55 ?? 49 8B CF FF 15 ?? ?? ?? ?? 48 85 C0 74 ?? 81 7D ?? ?? ??\n ?? ?? 74 ?? 4C 8B 7D ?? 4D 3B FD 72 ?? EB ?? 4D 85 FF 74 ?? BA ?? ?? ?? ?? 41 B9 ??\n ?? ?? ?? 41 B8 ?? ?? ?? ?? 49 8B CF FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 0F 85 ?? ??\n ?? ?? 4D 3B FE 73 ?? 48 85 DB 0F 85 ?? ?? ?? ?? 49 3B FC 0F 87 ?? ?? ?? ?? 44 8B 7D\n ?? 33 D2 48 8B C7 45 8B F7 49 F7 F7 41 8B C7 48 2B C2 48 03 C7 48 8B F8 49 3B C4 0F\n 87 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 8D 55 ?? 48 8B CF FF 15 ?? ?? ?? ?? 48 85 C0 0F\n 84 ?? ?? ?? ?? 81 7D ?? ?? ?? ?? ?? 74 ?? 33 D2 41 8D 7F ?? 48 03 7D ?? 48 03 7D ??\n 48 8B C7 49 F7 F6 48 2B FA 49 3B FC EB ?? 48 85 FF 74 ?? BA ?? ?? ?? ?? 41 B9 ?? ??\n ?? ?? 41 B8 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 E9 ?? ?? ?? ??\n 48 8D 4B ?? 89 73 ?? BA ?? ?? ?? ?? 48 89 31 48 8B C1 48 89 4B ?? 48 83 C2 ?? 48 83\n C1 ?? 48 8B F0 48 81 FA ?? ?? ?? ?? 76 ?? 48 8B 05 ?? ?? ?? ?? 48 89 03 48 89 1D ??\n ?? ?? ?? 4C 8D 9C 24 ?? ?? ?? ?? 48 8B C3 49 8B 5B ?? 49 8B 73 ?? 49 8B 7B ?? 49 8B\n E3 41 5F 41 5E 41 5D 41 5C 5D C3\n }\n\n $get_dns_servers_p1 = {\n 4C 8B DC 49 89 5B ?? 55 56 57 41 56 41 57 48 83 EC ?? 83 64 24 ?? ?? 49 8D 43 ?? 33\n D2 49 89 43 ?? 49 83 63 ?? ?? 45 33 C9 45 33 C0 8D 7A ?? 8B CF FF 15 ?? ?? ?? ?? 8B\n 44 24 ?? 8D 6F ?? 85 C0 0F 84 ?? ?? ?? ?? 8B C8 8B D5 E8 ?? ?? ?? ?? 48 8B D8 48 85\n C0 0F 84 ?? ?? ?? ?? 48 8D 44 24 ?? 45 33 C9 48 89 44 24 ?? 45 33 C0 33 D2 48 89 5C\n 24 ?? 8B CF FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 0B 8B D5 C1 E1 ?? 03 CD E8\n ?? ?? ?? ?? 48 8B F0 48 85 C0 74 ?? 33 FF 39 3B 76 ?? 8B 4C BB ?? FF 15 ?? ?? ?? ??\n 48 8B D0 48 8B CE FF 15 ?? ?? ?? ?? 8B 03 2B C5 3B F8 73 ?? 48 8D 15 ?? ?? ?? ?? 48\n 8B CE FF 15 ?? ?? ?? ?? 03 FD 3B 3B 72 ?? 45 33 C9 4C 8D 05 ?? ?? ?? ?? 48 8B D6 48\n 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B C8 48 8B D8 E8 ?? ?? ?? ?? 48 8B CB 4C 8B F0\n E8 ?? ?? ?? ?? EB ?? 48 8B CB E8 ?? ?? ?? ?? 45 33 F6 83 64 24 ?? ?? 48 8D 44 24 ??\n 48 89 44 24 ?? 45 33 C9 48 83 64 24 ?? ?? 45 33 C0 33 D2 33 C9 FF 15 ?? ?? ?? ?? 8B\n 44 24 ?? 85 C0 74 ?? 8D 48 ?? 48 8B D5 E8 ?? ?? ?? ?? 48 8B D8 48 85 C0 74 ?? 48 8D\n }\n\n $get_dns_servers_p2 = {\n 44 24 ?? 45 33 C9 48 89 44 24 ?? 45 33 C0 33 D2 48 89 5C 24 ?? 33 C9 FF 15 ?? ?? ??\n ?? 85 C0 75 ?? 45 33 C9 4C 8D 05 ?? ?? ?? ?? 48 8B D3 48 8D 0D ?? ?? ?? ?? E8 ?? ??\n ?? ?? 48 8B E8 EB ?? 48 8B CB E8 ?? ?? ?? ?? 33 ED 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ??\n ?? 48 8B D8 48 85 C0 75 ?? 48 8D 0D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F8 8D 53 ?? 8D\n 4F ?? E8 ?? ?? ?? ?? 48 8B D8 48 85 C0 74 ?? 4C 8B C7 48 8D 15 ?? ?? ?? ?? 4D 03 C0\n 48 8B C8 E8 ?? ?? ?? ?? 45 33 C9 4C 8D 05 ?? ?? ?? ?? 48 8B D3 48 8D 0D ?? ?? ?? ??\n E8 ?? ?? ?? ?? 4C 8B F8 48 85 DB 74 ?? 48 8B CB E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85\n ED 48 8D 15 ?? ?? ?? ?? 4C 8D 0D ?? ?? ?? ?? 4D 8B C7 48 0F 45 D5 49 8B CE 48 83 64\n 24 ?? ?? 48 8B F0 48 89 44 24 ?? E8 ?? ?? ?? ?? 48 8B C8 48 8B F8 E8 ?? ?? ?? ?? 49\n 8B CE 48 8B D8 E8 ?? ?? ?? ?? 48 8B CD E8 ?? ?? ?? ?? 49 8B CF E8 ?? ?? ?? ?? 48 8B\n CE E8 ?? ?? ?? ?? 48 8B CF E8 ?? ?? ?? ?? 48 8B C3 48 8B 5C 24 ?? 48 83 C4 ?? 41 5F\n 41 5E 5F 5E 5D C3\n }\n\n $get_network_interfaces_p1 = {\n 48 8B C4 48 89 58 ?? 48 89 70 ?? 57 41 56 41 57 48 81 EC ?? ?? ?? ?? B9 ?? ?? ?? ??\n 89 48 ?? E8 ?? ?? ?? ?? 48 8B F0 48 85 C0 0F 84 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ??\n 48 8B C8 FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 48 8B CE E8 ?? ?? ?? ?? 8B 8C 24 ?? ?? ??\n ?? E8 ?? ?? ?? ?? 48 8B F0 48 85 C0 0F 84 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? FF 15 ??\n ?? ?? ?? 8B D8 BA ?? ?? ?? ?? 8D 4B ?? E8 ?? ?? ?? ?? 48 8B F8 48 85 C0 74 ?? 4C 8B\n C3 48 8D 15 ?? ?? ?? ?? 48 8B C8 E8 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 48 8B CE FF\n 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 4C 8B F6 48 85 F6 0F 84 ?? ?? ?? ?? 4C 8D 3D\n ?? ?? ?? ?? 48 83 64 24 ?? ?? 48 8D 05 ?? ?? ?? ?? 4D 8D 86 ?? ?? ?? ?? 48 89 44 24\n ?? 4D 8B CF 48 8D 15 ?? ?? ?? ?? 48 8B CF E8 ?? ?? ?? ?? 45 8B 8E ?? ?? ?? ?? 48 8B\n F8 41 8B C9 83 E9 ?? 74 ?? 83 E9 ?? 74 ?? 83 E9 ?? 74 ?? 83 E9 ?? 74 ?? 83 E9 ?? 74\n ?? 83 E9 ?? 74 ?? 83 E9 ?? 74 ?? 83 F9 ?? 74 ?? 4C 8D 05 ?? ?? ?? ?? BA ?? ?? ?? ??\n 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 8D 54 24 ?? EB ?? 48 8D 15 ?? ?? ?? ?? EB ?? 48 8D\n 15 ?? ?? ?? ?? EB ?? 48 8D 15 ?? ?? ?? ?? EB ?? 48 8D 15 ?? ?? ?? ?? EB ?? 48 8D 15\n ?? ?? ?? ?? EB ?? 48 8D 15 ?? ?? ?? ?? EB ?? 48 8D 15 ?? ?? ?? ?? EB ?? 48 8D 15 ??\n ?? ?? ?? 45 33 C0 48 8B CF E8 ?? ?? ?? ?? 48 83 64 24 ?? ?? 4D 8D 86 ?? ?? ?? ?? 48\n }\n\n $get_network_interfaces_p2 = {\n 8B C8 48 8D 15 ?? ?? ?? ?? 4D 8B CF E8 ?? ?? ?? ?? 48 83 64 24 ?? ?? 4D 8D 86 ?? ??\n ?? ?? 4D 8B CF 48 8D 15 ?? ?? ?? ?? 48 8B C8 E8 ?? ?? ?? ?? 48 83 64 24 ?? ?? 4D 8D\n 86 ?? ?? ?? ?? 4D 8B CF 48 8D 15 ?? ?? ?? ?? 48 8B C8 E8 ?? ?? ?? ?? 41 83 BE ?? ??\n ?? ?? ?? 48 8B C8 74 ?? 48 83 64 24 ?? ?? 4D 8D 8E ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ??\n 4C 89 7C 24 ?? 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 45 33 C0 48 8D 15 ?? ?? ??\n ?? E8 ?? ?? ?? ?? 41 83 BE ?? ?? ?? ?? ?? 74 ?? 4D 8D 86 ?? ?? ?? ?? 45 33 C9 48 8D\n 15 ?? ?? ?? ?? 48 8B C8 E8 ?? ?? ?? ?? 4D 8D 86 ?? ?? ?? ?? 41 80 38 ?? 74 ?? 45 33\n C9 48 8D 15 ?? ?? ?? ?? 48 8B C8 E8 ?? ?? ?? ?? 4D 8B 36 48 8D 15 ?? ?? ?? ?? 45 33\n C0 48 8B C8 E8 ?? ?? ?? ?? 48 8B F8 4D 85 F6 0F 85 ?? ?? ?? ?? EB ?? 48 85 F6 74 ??\n 48 8B CE E8 ?? ?? ?? ?? 48 8B CF E8 ?? ?? ?? ?? 48 8B CF 48 8B D8 E8 ?? ?? ?? ?? 48\n 8B C3 EB ?? 33 C0 4C 8D 9C 24 ?? ?? ?? ?? 49 8B 5B ?? 49 8B 73 ?? 49 8B E3 41 5F 41\n 5E 5F C3\n }\n\n condition:\n uint16(0) == 0x5A4D and\n (\n all of ($network_communication_p*)\n ) and\n (\n $get_system_information\n ) and\n (\n all of ($get_dns_servers_p*)\n ) and\n (\n all of ($get_network_interfaces_p*)\n )\n}\n",
"pattern_type": "yara",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-11T09:00:02.000Z"
},
{
"contact_information": "https://github.com/reversinglabs/reversinglabs-yara-rules/",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--f981f2ff-37ec-451e-b147-65952f10610f",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "reversinglabs",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--f981f2ff-37ec-451e-b147-65952f10610f",
"description": "Yara rule that detects the AutoColor backdoor, characterized by specific patterns in its execution flow including library implantations, local file execution, self-deletion, and network proxy communications. The rule targets Linux systems and uses a combination of hex patterns to identify these behaviors.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/reversinglabs/reversinglabs-yara-rules/blob/develop/yara/backdoor/Linux.Backdoor.AutoColor.yara"
}
],
"id": "indicator--2d8d9701-929c-467b-8332-801166edaffe",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Linux_Backdoor_AutoColor",
"pattern": "rule Linux_Backdoor_AutoColor : tc_detection malicious\n{\n meta:\n\n author = \"ReversingLabs\"\n\n source = \"ReversingLabs\"\n status = \"RELEASED\"\n sharing = \"TLP:WHITE\"\n category = \"MALWARE\"\n malware = \"AUTOCOLOR\"\n description = \"Yara rule that detects AutoColor backdoor.\"\n\n tc_detection_type = \"Backdoor\"\n tc_detection_name = \"AutoColor\"\n tc_detection_factor = 5\n\n strings:\n\n $install_library_implant_p1 = {\n F3 0F 1E FA 55 48 89 E5 41 54 53 48 81 EC ?? ?? ?? ?? 64 48 8B 04 25 ?? ?? ?? ?? 48\n 89 45 ?? 31 C0 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ??\n ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 9D ?? ?? ?? ?? E9 ?? ?? ?? ?? 48\n 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 89 85 ?? ?? ??\n ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 9D ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8D 45 ?? 48 8D 35\n ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C2 48\n 8D 45 ?? 48 89 D6 48 89 C7 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8\n ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 9D ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8D 45 ??\n 48 89 C7 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 C2 48 8D 45 ?? 48 89 D6 48 89 C7 E8 ??\n ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 8D 35 ?? ?? ?? ?? 48 89\n C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C2 48 8D 45 ?? 48 89 D6\n 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8\n ?? ?? ?? ?? 48 8D 45 ?? 48 8D 35 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48\n 89 C7 E8 ?? ?? ?? ?? 48 89 C2 48 8D 45 ?? 48 89 D6 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45\n ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ??\n ?? 89 85 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 89\n 85 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 89 85 ??\n ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C3 48 8D 45 ?? 48 89 C7 E8 ?? ??\n ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 DE 48 89 C7 E8 ?? ?? ?? ?? 89 85 ?? ?? ??\n ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 9D ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7\n }\n\n $install_library_implant_p2 = {\n E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 8D 35 ?? ?? ?? ?? 48 89 C7 E8 ?? ??\n ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 9D ?? ?? ?? ?? EB ?? 8B 45 ??\n 4C 63 E0 48 8B 5D ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 4C 89 E2 48\n 89 DE 48 89 C7 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 9D ??\n ?? ?? ?? EB ?? BB ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89\n C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ??\n ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 89 D8 48 8B 4D ?? 64 48 33 0C 25 ?? ?? ??\n ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? F3 0F 1E FA 48 89 C3 48 8D 45 ?? 48 89 C7 E8 ??\n ?? ?? ?? EB ?? F3 0F 1E FA 48 89 C3 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? EB ?? F3 0F\n 1E FA 48 89 C3 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? EB ?? F3 0F 1E FA 48 89 C3 48 8D\n 45 ?? 48 89 C7 E8 ?? ?? ?? ?? EB ?? F3 0F 1E FA 48 89 C3 48 8D 45 ?? 48 89 C7 E8 ??\n ?? ?? ?? EB ?? F3 0F 1E FA 48 89 C3 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? EB ?? F3 0F\n 1E FA 48 89 C3 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? EB ?? F3 0F 1E FA 48 89 C3 48 8D\n 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 D8 48 89 C7 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 81\n C4 ?? ?? ?? ?? 5B 41 5C 5D C3\n }\n\n $self_delete = {\n F3 0F 1E FA 55 48 89 E5 53 48 83 EC ?? 64 48 8B 04 25 ?? ?? ?? ?? 48 89 45 ?? 31 C0\n 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 89 45 ?? 83\n 7D ?? ?? 74 ?? 8B 5D ?? EB ?? 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C7 E8 ?? ??\n ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 8B 5D ?? EB ?? BB ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7\n E8 ?? ?? ?? ?? 89 D8 48 8B 55 ?? 64 48 33 14 25 ?? ?? ?? ?? 74 ?? EB ?? F3 0F 1E FA\n 48 89 C3 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 D8 48 89 C7 E8 ?? ?? ?? ?? E8 ??\n ?? ?? ?? 48 83 C4 ?? 5B 5D C3\n }\n\n $execute_local_file_p1 = {\n F3 0F 1E FA 55 48 89 E5 41 55 41 54 53 48 81 EC ?? ?? ?? ?? 48 83 0C 24 ?? 48 81 EC\n ?? ?? ?? ?? 48 89 BD ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 48 89 8D ?? ??\n ?? ?? 64 48 8B 04 25 ?? ?? ?? ?? 48 89 45 ?? 31 C0 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8\n ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 D6 48 89 C7 E8 ?? ?? ??\n ?? 89 85 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ??\n 48 89 D6 48 89 C7 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 48 8D 9D ?? ?? ?? ?? 41 BC ?? ??\n ?? ?? 49 89 DD 4D 85 E4 78 ?? 4C 89 EF E8 ?? ?? ?? ?? 49 83 C5 ?? 49 83 EC ?? EB ??\n C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 85 ?? ?? ?? ?? 0F B6 C0 39 85 ?? ?? ?? ?? 7D ??\n 48 8D 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 48 63 D2 48 C1 E2 ?? 48 01 C2 48 8B 85 ?? ??\n ?? ?? 48 89 D6 48 89 C7 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 85 ?? ?? ?? ?? ?? EB ??\n C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C2\n 48 8D 85 ?? ?? ?? ?? 48 89 C6 48 89 D7 E8 ?? ?? ?? ?? C1 E8 ?? 84 C0 74 ?? E8 ?? ??\n ?? ?? 8B 00 89 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? 83 F8 ?? 74\n ?? 8B 85 ?? ?? ?? ?? 83 C8 ?? 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 89\n DE 48 89 C7 E8 ?? ?? ?? ?? C1 E8 ?? 84 C0 74 ?? E8 ?? ?? ?? ?? 8B 00 89 85 ?? ?? ??\n ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 88 ?? ??\n ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 89\n }\n\n $execute_local_file_p2 = {\n C7 E8 ?? ?? ?? ?? 39 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89\n 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 88 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? BF\n ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 85 ??\n ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 3B 85 ?? ?? ?? ?? 7D ?? 8B 85 ?? ?? ?? ?? 89\n C7 E8 ?? ?? ?? ?? 85 C0 83 85 ?? ?? ?? ?? ?? EB ?? 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8\n ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 E8 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 78 ??\n 48 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 48 98 48 01 D0 0F B6 00 3C ?? 75 ?? 48 8B 85\n ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 48 63 D2 48 83 C2 ?? 48 01 C2 48 8D 85 ?? ?? ?? ?? 48\n 89 D6 48 89 C7 E8 ?? ?? ?? ?? EB ?? 83 85 ?? ?? ?? ?? ?? EB ?? 48 8B 85 ?? ?? ?? ??\n 48 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ??\n 48 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 85 ?? ?? ?? ?? 0F B6 C0 39\n 85 ?? ?? ?? ?? 7D ?? 8B 85 ?? ?? ?? ?? 8D 48 ?? 8B 85 ?? ?? ?? ?? 48 98 48 C1 E0 ??\n 48 8D 75 ?? 48 01 F0 48 2D ?? ?? ?? ?? 48 8B 10 48 63 C1 48 89 94 C5 ?? ?? ?? ?? 83\n }\n\n $execute_local_file_p3 = {\n 85 ?? ?? ?? ?? ?? EB ?? 0F B6 85 ?? ?? ?? ?? 0F B6 C0 83 C0 ?? 48 98 48 C7 84 C5 ??\n ?? ?? ?? ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C2 48 8D 85\n ?? ?? ?? ?? 48 89 C6 48 89 D7 E8 ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 85\n ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 8B 85\n ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 41 89 C4 90 48\n 8D 9D ?? ?? ?? ?? 48 81 C3 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 39 C3 74 ?? 48 83 EB\n ?? 48 89 DF E8 ?? ?? ?? ?? EB ?? 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 44 89\n E0 48 8B 4D ?? 64 48 33 0C 25 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? F3 0F 1E\n FA 49 89 C5 48 85 DB 74 ?? B8 ?? ?? ?? ?? 4C 29 E0 48 C1 E0 ?? 4C 8D 24 03 49 39 DC\n 74 ?? 49 83 EC ?? 4C 89 E7 E8 ?? ?? ?? ?? EB ?? 4C 89 EB EB ?? F3 0F 1E FA 48 89 C3\n 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 49 89 DC EB ?? F3 0F 1E FA 49 89 C4 48\n 8D 9D ?? ?? ?? ?? 48 81 C3 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 39 C3 74 ?? 48 83 EB\n ?? 48 89 DF E8 ?? ?? ?? ?? EB ?? 4C 89 E3 EB ?? F3 0F 1E FA 48 89 C3 48 8D 85 ?? ??\n ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 D8 48 89 C7 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 81\n C4 ?? ?? ?? ?? 5B 41 5C 41 5D 5D C3\n }\n\n $network_proxy_communication_p1 = {\n F3 0F 1E FA 55 48 89 E5 48 81 EC ?? ?? ?? ?? 48 83 0C 24 ?? 48 81 EC ?? ?? ?? ?? 48\n 89 BD ?? ?? ?? ?? 48 89 B5 ?? ?? ?? ?? 64 48 8B 04 25 ?? ?? ?? ?? 48 89 45 ?? 31 C0\n B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 89 D7 FC F3 48 AB 89 F8 89 CA\n 89 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 8B 00 8D 50 ?? 85 C0 0F 48\n C2 C1 F8 ?? 89 C6 48 63 C6 48 8B BC C5 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 8B 00 99 C1\n EA ?? 01 D0 83 E0 ?? 29 D0 BA ?? ?? ?? ?? 89 C1 48 D3 E2 48 89 D0 48 09 C7 48 89 FA\n 48 63 C6 48 89 94 C5 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 8B 00 8D 50 ?? 85 C0 0F 48 C2\n C1 F8 ?? 89 C6 48 63 C6 48 8B BC C5 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 8B 00 99 C1 EA\n ?? 01 D0 83 E0 ?? 29 D0 BA ?? ?? ?? ?? 89 C1 48 D3 E2 48 89 D0 48 09 C7 48 89 FA 48\n 63 C6 48 89 94 C5 ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ??\n ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 8B 00 39 85 ?? ?? ??\n ?? 7D ?? 48 8B 85 ?? ?? ?? ?? 8B 00 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 8B 00 39\n 85 ?? ?? ?? ?? 7D ?? 48 8B 85 ?? ?? ?? ?? 8B 00 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ??\n 8D 78 ?? 48 8D 95 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 49 89 D0 B9 ?? ?? ?? ?? BA ?? ??\n ?? ?? 48 89 C6 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ??\n ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 8B 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ??\n 8B 00 8D 50 ?? 85 C0 0F 48 C2 C1 F8 ?? 48 98 48 8B B4 C5 ?? ?? ?? ?? 48 8B 85 ?? ??\n ?? ?? 8B 00 99 C1 EA ?? 01 D0 83 E0 ?? 29 D0 BA ?? ?? ?? ?? 89 C1 48 D3 E2 48 89 D0\n }\n\n $network_proxy_communication_p2 = {\n 48 21 F0 48 85 C0 0F 84 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D B5 ?? ?? ?? ?? 48 8B\n 85 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 89 D1 BA ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 89\n 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 95 ??\n ?? ?? ?? 48 8D B5 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 89 C7 E8 ?? ??\n ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? E9 ?? ?? ?? ??\n 48 8B 85 ?? ?? ?? ?? 8B 00 8D 50 ?? 85 C0 0F 48 C2 C1 F8 ?? 48 98 48 8B B4 C5 ?? ??\n ?? ?? 48 8B 85 ?? ?? ?? ?? 8B 00 99 C1 EA ?? 01 D0 83 E0 ?? 29 D0 BA ?? ?? ?? ?? 89\n C1 48 D3 E2 48 89 D0 48 21 F0 48 85 C0 0F 84 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D\n B5 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 89 D1 BA ?? ?? ?? ?? 48 89\n C7 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? EB\n ?? 8B 95 ?? ?? ?? ?? 48 8D B5 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 89\n C7 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 85 ??\n ?? ?? ?? EB ?? 90 E9 ?? ?? ?? ?? 48 8B 4D ?? 64 48 33 0C 25 ?? ?? ?? ?? 74 ?? EB ??\n F3 0F 1E FA 48 89 C7 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? C9 C3\n }\n\n condition:\n uint32(0) == 0x464C457F and\n (\n all of ($install_library_implant_p*)\n ) and\n (\n $self_delete\n ) and\n (\n all of ($execute_local_file_p*)\n ) and\n (\n all of ($network_proxy_communication_p*)\n )\n}",
"pattern_type": "yara",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-11T09:00:02.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--c72b11a1-b3e7-4ca6-a0aa-a073d7d63bdf",
"description": "This KQL rule detects exploitation attempts leveraging the CLFS zero-day vulnerability identified as CVE-2025-29824, which is associated with ransomware activities. It monitors for \"NamedPipeEvent\" actions where the pipe name matches a specific regex pattern indicative of exploitation.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/SlimKQL/Hunting-Queries-Detection-Rules/blob/main/DefenderXDR/CVE-2025-29824%20PipeMagic%20Detection.kql"
}
],
"id": "indicator--da32b19f-f6b7-4fcd-abc2-017e98fb46e8",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "CVE-2025-29824 PipeMagic Detection",
"pattern": "DeviceEvents\n| where ActionType == \"NamedPipeEvent\"\n| extend PipeName = tostring(parse_json(AdditionalFields)[\"PipeName\"])\n| where isnotempty(PipeName)\n| where PipeName matches regex \n@\"\\\\.\\pipe\\1\\.[0-9A-Fa-f]{32}\"",
"pattern_type": "kql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-11T07:35:38.000Z"
},
{
"contact_information": "https://github.com/SlimKQL/Hunting-Queries-Detection-Rules",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--c72b11a1-b3e7-4ca6-a0aa-a073d7d63bdf",
"identity_class": "individual",
"modified": "2025-04-06T16:27:59.769Z",
"name": "SlimKQL",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--c72b11a1-b3e7-4ca6-a0aa-a073d7d63bdf",
"description": "This rule detects potentially rogue OAuth apps that may be used for Business Email Compromise (BEC) and phishing attacks. It leverages the new OAuthAppInfo table to identify apps added in the last hour with an external origin, no verified publisher, and permissions to read and write mail.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/SlimKQL/Hunting-Queries-Detection-Rules/blob/main/DefenderXDR/OAuth%20App%20for%20BEC%20&%20Phishing%20Detection.kql"
}
],
"id": "indicator--ef870cf4-52f5-49fe-9f1a-f169485e0d88",
"indicator_types": [
"malicious-activity",
"anomalous-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "OAuth App for BEC & Phishing Detection",
"pattern": "OAuthAppInfo\n| where AddedOnTime > ago(1h)\n| where AppOrigin == \"External\"\n| where VerifiedPublisher == \"{}\"\n| where Permissions has \"mail.readwrite\"\n",
"pattern_type": "kql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-11T13:29:53.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--df9847ba-426f-4fc9-bb79-411d70df3dbc",
"description": "This KQL query extracts information from the OAuthAppInfo table in Microsoft Defender XDR. It counts permissions by level and provides insights on consented users, application status, and origin.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/alexverboon/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/EntraID-OauthAppInfo.md"
}
],
"id": "indicator--bb204bf6-f4ad-4e28-893a-c8ba7fec94db",
"indicator_types": [
"anomalous-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Entra ID - Oauth App Information",
"pattern": "OAuthAppInfo \n| mv-expand Permissions\n| extend Permission = tostring(parse_json(Permissions.PermissionValue))\n| project\n AppName,\n PrivilegeLevel,\n Permission,\n AppStatus,\n ConsentedUsersCount,\n IsAdminConsented,\n AppOrigin\n| summarize\n Permissions = make_set(Permission),\n Low = countif(PrivilegeLevel == \"Low\"),\n Medium = countif(PrivilegeLevel == \"Medium\"),\n High = countif(PrivilegeLevel == \"High\")\n by AppName, ConsentedUsersCount, IsAdminConsented, AppStatus, AppOrigin\n| order by High desc, Medium desc, Low desc\n",
"pattern_type": "kql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-07T21:14:30.000Z"
},
{
"contact_information": "https://github.com/alexverboon/Hunting-Queries-Detection-Rules",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--df9847ba-426f-4fc9-bb79-411d70df3dbc",
"identity_class": "individual",
"modified": "2025-04-06T16:27:59.769Z",
"name": "alexverboon",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--6a175af8-9993-4b93-aa9d-0ef6d410d5b9",
"description": "Detects the use of the \"Get-ADComputer\" cmdlet to identify systems configured for unconstrained delegation. This activity may indicate reconnaissance efforts by an attacker, probing for configuration vulnerabilities. It's targeted at the Windows platform, leveraging PowerShell script block logging to capture suspicious actions.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/Yamato-Security/hayabusa-rules/blob/main/sigma/builtin/powershell/powershell_script/posh_ps_potential_unconstrained_delegation_discovery.yml"
}
],
"id": "indicator--e83ddcef-7d8b-41ad-971d-d4a2ed556c55",
"indicator_types": [
"malicious-activity",
"reconnaissance",
"credential-access"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock",
"pattern": "title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock\nid: c0fcc261-538c-247d-21ff-05b6d2cbdf07\nrelated:\n - id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5\n type: derived\nstatus: experimental\ndescription: Detects the use of the \"Get-ADComputer\" cmdlet in order to identify systems which are configured for unconstrained delegation.\nreferences:\n - https://pentestlab.blog/2022/03/21/unconstrained-delegation/\n - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps\nauthor: frack113\ndate: 2025-03-05\ntags:\n - attack.reconnaissance\n - attack.discovery\n - attack.credential-access\n - attack.t1018\n - attack.t1558\n - attack.t1589.002\nlogsource:\n product: windows\n category: ps_script\n definition: 'Requirements: Script Block Logging must be enable'\ndetection:\n ps_script:\n EventID: 4104\n Channel:\n - Microsoft-Windows-PowerShell/Operational\n - PowerShellCore/Operational\n selection:\n ScriptBlockText|contains:\n - -Properties*TrustedForDelegation\n - -Properties*TrustedToAuthForDelegation\n - -Properties*msDS-AllowedToDelegateTo\n - -Properties*PrincipalsAllowedToDelegateToAccount\n - -LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)\n condition: ps_script and selection\nfalsepositives:\n - Legitimate use of the library for administrative activity\nlevel: medium\nruletype: Sigma\n",
"pattern_type": "sigma",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-07T20:15:03.000Z"
},
{
"contact_information": "https://github.com/Yamato-Security/hayabusa-rules",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--6a175af8-9993-4b93-aa9d-0ef6d410d5b9",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "Yamato-Security",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "Detects when non-WordPress senders link to suspended or malicious WordPress blog sites, commonly used to redirect users to credential harvesting pages. The rule inspects incoming emails to find those that contain specific types of links and text suggesting credential phishing or policy violations on WordPress-hosted content.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_wordpress_credphish.yml"
}
],
"id": "indicator--05a8e591-fb81-4c1c-8a7d-d539542a54b4",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Link: Credential Phishing via WordPress",
"pattern": "type.inbound\n and sender.email.domain.root_domain != \"wordpress.com\"\n // there are few links\n and 0 < length(body.links) <= 5\n // there are wordpress links\n and any(body.links,\n .href_url.domain.root_domain == \"wordpress.com\"\n and .href_url.domain.domain != \"wordpress.com\"\n )\n // a single link to wordpress site\n and length(filter(body.links,\n .href_url.domain.root_domain == \"wordpress.com\"\n and .href_url.domain.domain != \"wordpress.com\"\n )\n ) == 1\n \n // not a reply\n and length(headers.references) == 0\n and headers.in_reply_to is null\n \n // we detect the wordpress page has phishing\n and any(filter(body.links, .href_url.domain.root_domain == \"wordpress.com\"),\n ml.link_analysis(.).credphish.disposition == \"phishing\"\n or strings.icontains(ml.link_analysis(.).final_dom.display_text,\n 'This blog has been archived or suspended in accordance with our Terms of Service'\n )\n )",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-11T21:07:49.000Z"
},
{
"contact_information": "https://github.com/sublime-security/sublime-rules",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "sublime-security",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--d45dd67a-3e84-47b5-b269-b06ab9a81256",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "domain-name--e0e196aa-16d2-5db1-a6c4-fa53e1ee722c",
"spec_version": "2.1",
"target_ref": "indicator--05a8e591-fb81-4c1c-8a7d-d539542a54b4",
"type": "relationship"
},
{
"defanged": false,
"id": "domain-name--e0e196aa-16d2-5db1-a6c4-fa53e1ee722c",
"spec_version": "2.1",
"type": "domain-name",
"value": "wordpress.com"
},
{
"created": "2025-04-14T12:31:06.930Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/brand_impersonation_irs.yml"
}
],
"id": "indicator--89c6b0a0-cab0-4324-8c8f-906d5cf980dc",
"indicator_types": [
"malicious-activity",
"social-engineering"
],
"modified": "2025-04-14T12:31:06.930Z",
"name": "Brand Impersonation: Internal Revenue Service",
"pattern": "type.inbound\n and (\n // display name contains IRS\n (\n strings.ilike(strings.replace_confusables(sender.display_name),\n '*internal revenue service*'\n )\n )\n // levenshtein distance similar to IRS\n or strings.ilevenshtein(strings.replace_confusables(sender.display_name),\n 'internal revenue service'\n ) <= 1\n )\n and (\n any(beta.ml_topic(body.current_thread.text).topics,\n .name in (\"Security and Authentication\", \"Financial Communications\")\n and .confidence in (\"high\")\n )\n or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,\n .name in (\"Security and Authentication\", \"Financial Communications\")\n and .confidence in (\"high\")\n )\n or any(ml.nlu_classifier(body.current_thread.text).intents,\n .name == \"cred_theft\" and .confidence == \"high\"\n )\n or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,\n .name == \"cred_theft\" and .confidence == \"high\"\n )\n )\n \n // and the sender is not in org_domains or from IRS domains and passes auth\n and not (\n sender.email.domain.root_domain in $org_domains\n or (\n sender.email.domain.root_domain in (\"irs.gov\", \"govdelivery.com\")\n and headers.auth_summary.dmarc.pass\n )\n )\n // and the sender is not from high trust sender root domains\n and (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n )\n and not profile.by_sender().solicited",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-03-18T15:48:09.000Z"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--d3da1cb4-1efe-41ca-b0a7-b3abdc2eea21",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "domain-name--d1e6a10c-1f6a-5194-9226-e56b05d493e2",
"spec_version": "2.1",
"target_ref": "indicator--89c6b0a0-cab0-4324-8c8f-906d5cf980dc",
"type": "relationship"
},
{
"defanged": false,
"id": "domain-name--d1e6a10c-1f6a-5194-9226-e56b05d493e2",
"spec_version": "2.1",
"type": "domain-name",
"value": "irs.gov"
},
{
"created": "2025-04-14T12:31:06.930Z",
"id": "relationship--82037a6a-ea01-4454-93ef-e443f253bf34",
"modified": "2025-04-14T12:31:06.930Z",
"relationship_type": "related-to",
"revoked": false,
"source_ref": "domain-name--ccb90043-ffb0-5573-9945-9f9d79ec8537",
"spec_version": "2.1",
"target_ref": "indicator--89c6b0a0-cab0-4324-8c8f-906d5cf980dc",
"type": "relationship"
},
{
"defanged": false,
"id": "domain-name--ccb90043-ffb0-5573-9945-9f9d79ec8537",
"spec_version": "2.1",
"type": "domain-name",
"value": "govdelivery.com"
},
{
"contact_information": "https://rulecheck.io",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--e026a301-104b-402e-ab7c-66718579227e",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "RuleCheck.io",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment