sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Proc creation lnx exfiltration data via sftp protocol (winscp tool)

Open CheraghiMilad opened this issue 1 year ago • 3 comments

Summary of the Pull Request

The attacker may use the WinScp tool to exfiltrate data from the victim's system. This rule helps to identify data being exfiltrated through the SFTP protocol. (When using the WinScp tool, the SFTP protocol is used in the background to transfer data.)

Changelog

/sftp-server log

<Events>
  <Event>
    <System>
      <Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
      <EventID>23</EventID>
      <Version>5</Version>
      <Level>4</Level>
      <Task>23</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2024-11-26T07:08:18.955128000Z"/>
      <EventRecordID>252928</EventRecordID>
      <Correlation/>
      <Execution ProcessID="1258" ThreadID="1258"/>
      <Channel>Linux-Sysmon/Operational</Channel>
      <Computer>caldera-virtual-machine</Computer>
      <Security UserId="0"/>
    </System>
    <EventData>
      <Data Name="RuleName">-</Data>
      <Data Name="UtcTime">2024-11-24 19:52:14.888</Data>
      <Data Name="ProcessGuid">{36fe7a82-83c8-6743-d526-2fa8d7550000}</Data>
      <Data Name="ProcessId">6468</Data>
      <Data Name="User">caldera</Data>
      <Data Name="Image">/usr/lib/openssh/sftp-server</Data>
      <Data Name="TargetFilename">/home/caldera/rufus-4.6.exe.filepart</Data>
      <Data Name="Hashes">-</Data>
      <Data Name="IsExecutable">-</Data>
      <Data Name="Archived">-</Data>
    </EventData>
  </Event>

sftp-server log

  <Event>
    <System>
      <Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
      <EventID>23</EventID>
      <Version>5</Version>
      <Level>4</Level>
      <Task>23</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2024-11-26T07:08:16.565426000Z"/>
      <EventRecordID>252925</EventRecordID>
      <Correlation/>
      <Execution ProcessID="1258" ThreadID="1258"/>
      <Channel>Linux-Sysmon/Operational</Channel>
      <Computer>caldera-virtual-machine</Computer>
      <Security UserId="0"/>
    </System>
    <EventData>
      <Data Name="RuleName">-</Data>
      <Data Name="UtcTime">2024-11-24 19:52:12.500</Data>
      <Data Name="ProcessGuid">{36fe7a82-83c8-6743-d526-2fa8d7550000}</Data>
      <Data Name="ProcessId">6468</Data>
      <Data Name="User">caldera</Data>
      <Data Name="Image">/usr/lib/openssh/sftp-server</Data>
      <Data Name="TargetFilename">/home/caldera/IMG_20241120_131011.jpg.filepart</Data>
      <Data Name="Hashes">-</Data>
      <Data Name="IsExecutable">-</Data>
      <Data Name="Archived">-</Data>
    </EventData>
  </Event>
</Events>

Pic: Screenshot 2024-11-26 114141

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

CheraghiMilad avatar Nov 29 '24 14:11 CheraghiMilad

HI, Thanks. The Eventid 23 is for FileDelete. I find "WinSCP has a setting enabled by default that transfers files larger than 100kb to a temporary file name (with the .filepart extension) and then renames the file." So the events are not exfiltration.

frack113 avatar Nov 30 '24 10:11 frack113

HI, Thanks. The Eventid 23 is for FileDelete. I find "WinSCP has a setting enabled by default that transfers files larger than 100kb to a temporary file name (with the .filepart extension) and then renames the file." So the events are not exfiltration.

Hi, Thanks for the reply. These files were exfiltrated during adversary emulation. If the .filepart keyword is commonly used in WinSCP, we can opt for a more relevant keyword that corresponds to files on the endpoint and remove the DeleteId from the rule.

CheraghiMilad avatar Nov 30 '24 18:11 CheraghiMilad

I got this error, and I have no idea what I can do about it.

====================================================================== FAIL: test_fieldname_case (main.TestRules.test_fieldname_case)

Traceback (most recent call last): File "/home/runner/work/sigma/sigma/tests/test_logsource.py", line 253, in test_fieldname_case self.assertEqual( AssertionError: Lists differ: ['/home/runner/work/sigma/sigma/rules/linu[67 chars]yml'] != []

First list contains 1 additional elements. First extra element 0: '/home/runner/work/sigma/sigma/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml'

  • ['/home/runner/work/sigma/sigma/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml']
  • [] : There are rule files which contains unknown field or with cast error

Ran 3 tests in 28.861s

FAILED (failures=1) Error: Process completed with exit code 1.

CheraghiMilad avatar Dec 10 '24 07:12 CheraghiMilad

Closing this as stale and incomplete. The logs provided are for file delete as frack mentioned and the rule is looking for process creation. The author can re-open this with a better explanation of the intent.

nasbench avatar Oct 17 '25 18:10 nasbench