Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding sigma rules related to Restic for Data Exfiltration and CleanUpLoader(Oyster Backdoor) #5056

Open
CTI-Driven opened this issue Oct 20, 2024 · 0 comments
Open

Adding sigma rules related to Restic for Data Exfiltration and CleanUpLoader(Oyster Backdoor) #5056

CTI-Driven opened this issue Oct 20, 2024 · 0 comments
Assignees
@nasbench

Comments

@CTI-Driven
Copy link

title: Detect the Use of Restic Backup too for Data Exfiltration
id: 12345678-1234-1234-1234-123456789012
description: |
Restic is an open-source backup tool that supports backing up data to various storage types, including local directories, SFTP servers, and cloud services like Amazon S3, Google Cloud Storage, and Microsoft Azure. Recently, it has been observed in use by the BlackCat Ransomware group.
status: experimental
references:

  • https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
  • https://restic.net/
    author: Nounou Mbeiri
    date: 2024/10/15
    tags:
  • attack.exfiltration
  • attack.t1048
    logsource:
    product: windows
    category: process_creation
    detection:
    selection1:
    CommandLine|contains|all:
    • " -r"
    • " :/"
    • " init"
      selection2:
      CommandLine|contains|all:
    • " --repo"
    • " :/"
    • " init"
      selection3:
      CommandLine|contains:
    • " backup"
    • " init"
      parameter1:
      CommandLine|contains|all:
    • " -r"
    • "sftp:"
      parameter2:
      CommandLine|contains|all:
    • " -r"
    • " rest:http"
      parameter3:
      CommandLine|contains|all:
    • " -r"
    • " s3:s3."
    • "amazonaws"
      parameter4:
      CommandLine|contains|all:
    • " -r"
    • " s3:http"
      parameter5:
      CommandLine|contains|all:
    • " -r"
    • " swift:"
      parameter6:
      CommandLine|contains|all:
    • " -r"
    • " b2:"
      parameter7:
      CommandLine|contains|all:
    • " -r"
    • " azure:"
      parameter8:
      CommandLine|contains|all:
    • " -r"
    • " gs:"
      parameter9:
      CommandLine|contains|all:
    • " -r"
    • " rclone:"
      condition: ((selection1 or selection2) or (selection3 and 1 of parameter*))
      falsepositives:
  • Legitimate use of Restic for backup purposes
    level: high

title: Detect Rundll32 and Schtasks Command Events Linked to CleanUpLoader
id: 12345678-1234-5678-1234-567812345678
status: experimental
description: Detects process creation events involving rundll32.exe and schtasks.exe commands associated with CleanUpLoader(Oyster Backdoor) activity on Windows systems.
references:
- https://www.reliaquest.com/blog/5-malware-variants-you-should-know/
- https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf
- https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/
- https://app.any.run/tasks/aa15e125-38b8-44d8-add9-54e21e6813bb
author: Nounou Mbeiri
date: 2024/10/15
tags:
- attack.discovery
- attack.command_and_control
- attack.exfiltration
- attack.t1040
- attack.t1041
- attack.t1071
logsource:
product: windows
category: process_creation
detection:
selection1:
CommandLine|contains|all:
- 'rundll32.exe'
- '%s'
- 'Test'
selection2:
CommandLine|contains:
- 'rundll32.exe'
selection21:
CommandLine|contains:
- 'CleanUp.dll'
- 'CleanUp30.dll'
selection3:
CommandLine|contains|all:
- 'schtasks.exe'
- '/create'
- 'ClearMngs'
- 'rundll32'
- '.dll'
- 'Test'
selection4:
CommandLine|contains|all:
- 'powershell.exe'
- 'schtasks.exe'
- 'CreateShortcut'
- '.lnk'
- 'rundll32'
- '.dll'
- 'Test'
condition: selection1 or (selection2 and selection21) or selection3 or selection4
falsepositives:

  • Scripts or automation tools that include similar command patterns
    level: high

title: Detect DLL File Creation Events Linked to CleanUpLoader
id: 87654321-4321-8765-4321-876543218765
status: experimental
description: Detects the creation of specific DLL files in Temp or Downloads folders, potentially linked to CleanUpLoader(Oyster Backdoor) activity.
references:
- https://www.reliaquest.com/blog/5-malware-variants-you-should-know/
- https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf
- https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/
- https://app.any.run/tasks/aa15e125-38b8-44d8-add9-54e21e6813bb
author: Nounou Mbeiri
date: 2024/10/15
tags:
- attack.discovery
- attack.command_and_control
- attack.exfiltration
- attack.t1040
- attack.t1041
- attack.t1071
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'CleanUp.dll'
- 'CleanUp30.dll'
TargetFilename|contains:
- '\Temp'
condition: selection
falsepositives:

  • Legitimate software installations or updates that use these CleanUp.dll
    level: medium
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nasbench nasbench

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nasbench @CTI-Driven