Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding sigma rules related to Restic for Data Exfiltration and CleanUpLoader(Oyster Backdoor) #5056

Open
CTI-Driven opened this issue Oct 20, 2024 · 0 comments
Assignees
Labels
Create Pull-Request issues that should be provided as a pull request Work In Progress Some changes are needed

Comments

@CTI-Driven
Copy link

title: Detect the Use of Restic Backup too for Data Exfiltration
id: 12345678-1234-1234-1234-123456789012
description: |
Restic is an open-source backup tool that supports backing up data to various storage types, including local directories, SFTP servers, and cloud services like Amazon S3, Google Cloud Storage, and Microsoft Azure. Recently, it has been observed in use by the BlackCat Ransomware group.
status: experimental
references:

  • https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
  • https://restic.net/
    author: Nounou Mbeiri
    date: 2024/10/15
    tags:
  • attack.exfiltration
  • attack.t1048
    logsource:
    product: windows
    category: process_creation
    detection:
    selection1:
    CommandLine|contains|all:
    • " -r"
    • " :/"
    • " init"
      selection2:
      CommandLine|contains|all:
    • " --repo"
    • " :/"
    • " init"
      selection3:
      CommandLine|contains:
    • " backup"
    • " init"
      parameter1:
      CommandLine|contains|all:
    • " -r"
    • "sftp:"
      parameter2:
      CommandLine|contains|all:
    • " -r"
    • " rest:http"
      parameter3:
      CommandLine|contains|all:
    • " -r"
    • " s3:s3."
    • "amazonaws"
      parameter4:
      CommandLine|contains|all:
    • " -r"
    • " s3:http"
      parameter5:
      CommandLine|contains|all:
    • " -r"
    • " swift:"
      parameter6:
      CommandLine|contains|all:
    • " -r"
    • " b2:"
      parameter7:
      CommandLine|contains|all:
    • " -r"
    • " azure:"
      parameter8:
      CommandLine|contains|all:
    • " -r"
    • " gs:"
      parameter9:
      CommandLine|contains|all:
    • " -r"
    • " rclone:"
      condition: ((selection1 or selection2) or (selection3 and 1 of parameter*))
      falsepositives:
  • Legitimate use of Restic for backup purposes
    level: high

title: Detect Rundll32 and Schtasks Command Events Linked to CleanUpLoader
id: 12345678-1234-5678-1234-567812345678
status: experimental
description: Detects process creation events involving rundll32.exe and schtasks.exe commands associated with CleanUpLoader(Oyster Backdoor) activity on Windows systems.
references:
- https://www.reliaquest.com/blog/5-malware-variants-you-should-know/
- https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf
- https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/
- https://app.any.run/tasks/aa15e125-38b8-44d8-add9-54e21e6813bb
author: Nounou Mbeiri
date: 2024/10/15
tags:
- attack.discovery
- attack.command_and_control
- attack.exfiltration
- attack.t1040
- attack.t1041
- attack.t1071
logsource:
product: windows
category: process_creation
detection:
selection1:
CommandLine|contains|all:
- 'rundll32.exe'
- '%s'
- 'Test'
selection2:
CommandLine|contains:
- 'rundll32.exe'
selection21:
CommandLine|contains:
- 'CleanUp.dll'
- 'CleanUp30.dll'
selection3:
CommandLine|contains|all:
- 'schtasks.exe'
- '/create'
- 'ClearMngs'
- 'rundll32'
- '.dll'
- 'Test'
selection4:
CommandLine|contains|all:
- 'powershell.exe'
- 'schtasks.exe'
- 'CreateShortcut'
- '.lnk'
- 'rundll32'
- '.dll'
- 'Test'
condition: selection1 or (selection2 and selection21) or selection3 or selection4
falsepositives:

  • Scripts or automation tools that include similar command patterns
    level: high

title: Detect DLL File Creation Events Linked to CleanUpLoader
id: 87654321-4321-8765-4321-876543218765
status: experimental
description: Detects the creation of specific DLL files in Temp or Downloads folders, potentially linked to CleanUpLoader(Oyster Backdoor) activity.
references:
- https://www.reliaquest.com/blog/5-malware-variants-you-should-know/
- https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf
- https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/
- https://app.any.run/tasks/aa15e125-38b8-44d8-add9-54e21e6813bb
author: Nounou Mbeiri
date: 2024/10/15
tags:
- attack.discovery
- attack.command_and_control
- attack.exfiltration
- attack.t1040
- attack.t1041
- attack.t1071
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'CleanUp.dll'
- 'CleanUp30.dll'
TargetFilename|contains:
- '\Temp'
condition: selection
falsepositives:

  • Legitimate software installations or updates that use these CleanUp.dll
    level: medium
@nasbench nasbench added Work In Progress Some changes are needed Create Pull-Request issues that should be provided as a pull request labels Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Create Pull-Request issues that should be provided as a pull request Work In Progress Some changes are needed
Projects
None yet
Development

No branches or pull requests

2 participants