Adding sigma rules related to Restic for Data Exfiltration and CleanUpLoader(Oyster Backdoor) #5056
Labels
Create Pull-Request
issues that should be provided as a pull request
Work In Progress
Some changes are needed
title: Detect the Use of Restic Backup too for Data Exfiltration
id: 12345678-1234-1234-1234-123456789012
description: |
Restic is an open-source backup tool that supports backing up data to various storage types, including local directories, SFTP servers, and cloud services like Amazon S3, Google Cloud Storage, and Microsoft Azure. Recently, it has been observed in use by the BlackCat Ransomware group.
status: experimental
references:
author: Nounou Mbeiri
date: 2024/10/15
tags:
logsource:
product: windows
category: process_creation
detection:
selection1:
CommandLine|contains|all:
selection2:
CommandLine|contains|all:
selection3:
CommandLine|contains:
parameter1:
CommandLine|contains|all:
parameter2:
CommandLine|contains|all:
parameter3:
CommandLine|contains|all:
parameter4:
CommandLine|contains|all:
parameter5:
CommandLine|contains|all:
parameter6:
CommandLine|contains|all:
parameter7:
CommandLine|contains|all:
parameter8:
CommandLine|contains|all:
parameter9:
CommandLine|contains|all:
condition: ((selection1 or selection2) or (selection3 and 1 of parameter*))
falsepositives:
level: high
title: Detect Rundll32 and Schtasks Command Events Linked to CleanUpLoader
id: 12345678-1234-5678-1234-567812345678
status: experimental
description: Detects process creation events involving rundll32.exe and schtasks.exe commands associated with CleanUpLoader(Oyster Backdoor) activity on Windows systems.
references:
- https://www.reliaquest.com/blog/5-malware-variants-you-should-know/
- https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf
- https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/
- https://app.any.run/tasks/aa15e125-38b8-44d8-add9-54e21e6813bb
author: Nounou Mbeiri
date: 2024/10/15
tags:
- attack.discovery
- attack.command_and_control
- attack.exfiltration
- attack.t1040
- attack.t1041
- attack.t1071
logsource:
product: windows
category: process_creation
detection:
selection1:
CommandLine|contains|all:
- 'rundll32.exe'
- '%s'
- 'Test'
selection2:
CommandLine|contains:
- 'rundll32.exe'
selection21:
CommandLine|contains:
- 'CleanUp.dll'
- 'CleanUp30.dll'
selection3:
CommandLine|contains|all:
- 'schtasks.exe'
- '/create'
- 'ClearMngs'
- 'rundll32'
- '.dll'
- 'Test'
selection4:
CommandLine|contains|all:
- 'powershell.exe'
- 'schtasks.exe'
- 'CreateShortcut'
- '.lnk'
- 'rundll32'
- '.dll'
- 'Test'
condition: selection1 or (selection2 and selection21) or selection3 or selection4
falsepositives:
level: high
title: Detect DLL File Creation Events Linked to CleanUpLoader
id: 87654321-4321-8765-4321-876543218765
status: experimental
description: Detects the creation of specific DLL files in Temp or Downloads folders, potentially linked to CleanUpLoader(Oyster Backdoor) activity.
references:
- https://www.reliaquest.com/blog/5-malware-variants-you-should-know/
- https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf
- https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/
- https://app.any.run/tasks/aa15e125-38b8-44d8-add9-54e21e6813bb
author: Nounou Mbeiri
date: 2024/10/15
tags:
- attack.discovery
- attack.command_and_control
- attack.exfiltration
- attack.t1040
- attack.t1041
- attack.t1071
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'CleanUp.dll'
- 'CleanUp30.dll'
TargetFilename|contains:
- '\Temp'
condition: selection
falsepositives:
level: medium
The text was updated successfully, but these errors were encountered: