From d425ef87f688876679f3e06a1ca3af47114bf0f5 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Fri, 29 Nov 2024 18:24:00 +0330 Subject: [PATCH 01/13] rule for exfiltration data using the WinScp tool --- ...tion_lnx_exfiltration_data_sftp_winscp.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml new file mode 100644 index 00000000000..5069cc04c44 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -0,0 +1,23 @@ +title: Exfiltration data using the WinScp tool. (SFTP File Transfer) +id: e0fef479-650b-46da-a985-b6e137f86f43 +description: The attacker may use the WinScp tool to exfiltrate data from the victim's system. This rule helps to identify data being exfiltrated through the SFTP protocol. (When using the WinScp tool, the SFTP protocol is used in the background to transfer data.) +status: test +author: CheraghiMilad +date: 2024-11-29 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md +tags: + - attack.exfiltration + - attack.t1048.001 +logsource: + category: process_creation + product: linux +detection: + selection: + Image: '/usr/lib/openssh/sftp-server' + TargetFilename|endswith: '.filepart' + EventID: 23 + condition: selection +falsepositives: + - Legitimate use of the commands by administrators or system processes (excluding Wazuh) +level: high \ No newline at end of file From a8a4521146fe51b90d6c7fd2a316c7284d1137a4 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Fri, 29 Nov 2024 18:24:54 +0330 Subject: [PATCH 02/13] fix end line --- .../proc_creation_lnx_exfiltration_data_sftp_winscp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index 5069cc04c44..af2c37dce5f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -20,4 +20,4 @@ detection: condition: selection falsepositives: - Legitimate use of the commands by administrators or system processes (excluding Wazuh) -level: high \ No newline at end of file +level: high From 033c77125bcbc1a228c7f7a0951994b10d06b346 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Fri, 29 Nov 2024 18:35:22 +0330 Subject: [PATCH 03/13] fix logsource line --- .../proc_creation_lnx_exfiltration_data_sftp_winscp.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index af2c37dce5f..1e6fea11901 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -12,6 +12,7 @@ tags: logsource: category: process_creation product: linux + detection: selection: Image: '/usr/lib/openssh/sftp-server' From e2a4956e49bd5587e23b670abdbc1d8208e722ae Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Fri, 29 Nov 2024 18:37:30 +0330 Subject: [PATCH 04/13] fix line of logsource --- .../proc_creation_lnx_exfiltration_data_sftp_winscp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index 1e6fea11901..901f62b3a6f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -12,7 +12,7 @@ tags: logsource: category: process_creation product: linux - + detection: selection: Image: '/usr/lib/openssh/sftp-server' From c492bc040cb3c7cf142096d932e96a41f5203b4f Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Fri, 29 Nov 2024 18:43:04 +0330 Subject: [PATCH 05/13] fix log source problem --- .../proc_creation_lnx_exfiltration_data_sftp_winscp.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index 901f62b3a6f..c4e3bd650ff 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -10,9 +10,8 @@ tags: - attack.exfiltration - attack.t1048.001 logsource: - category: process_creation product: linux - + category: process_creation detection: selection: Image: '/usr/lib/openssh/sftp-server' From ae8fbaf30ea349e0bb394ee38e84268155c69f57 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Fri, 29 Nov 2024 18:52:55 +0330 Subject: [PATCH 06/13] fix problem --- ...creation_lnx_exfiltration_data_sftp_winscp.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index c4e3bd650ff..5f7d9328ee8 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -1,22 +1,25 @@ + + + title: Exfiltration data using the WinScp tool. (SFTP File Transfer) -id: e0fef479-650b-46da-a985-b6e137f86f43 -description: The attacker may use the WinScp tool to exfiltrate data from the victim's system. This rule helps to identify data being exfiltrated through the SFTP protocol. (When using the WinScp tool, the SFTP protocol is used in the background to transfer data.) +id: 8ea5903c-815e-465b-a697-016902988414 status: test -author: CheraghiMilad -date: 2024-11-29 +description: The attacker may use the WinScp tool to exfiltrate data from the victim's system. This rule helps to identify data being exfiltrated through the SFTP protocol. (When using the WinScp tool, the SFTP protocol is used in the background to transfer data.) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md +author: CheraghiMilad +date: 2024-11-29 tags: - attack.exfiltration - attack.t1048.001 logsource: - product: linux category: process_creation + product: linux detection: selection: Image: '/usr/lib/openssh/sftp-server' TargetFilename|endswith: '.filepart' - EventID: 23 + EventID: '23' condition: selection falsepositives: - Legitimate use of the commands by administrators or system processes (excluding Wazuh) From 479151db650d19d9ba19a2a662b10558be3a7832 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Fri, 29 Nov 2024 18:53:29 +0330 Subject: [PATCH 07/13] fix it --- .../proc_creation_lnx_exfiltration_data_sftp_winscp.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index 5f7d9328ee8..41bc8c0c8cd 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -1,6 +1,3 @@ - - - title: Exfiltration data using the WinScp tool. (SFTP File Transfer) id: 8ea5903c-815e-465b-a697-016902988414 status: test From 272d85c77d6bba1d047ad4e39ec9dba32f18494d Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Fri, 29 Nov 2024 19:06:47 +0330 Subject: [PATCH 08/13] add service to logsource --- .../proc_creation_lnx_exfiltration_data_sftp_winscp.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index 41bc8c0c8cd..417820df6be 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -12,11 +12,13 @@ tags: logsource: category: process_creation product: linux + service: sysmon detection: selection: Image: '/usr/lib/openssh/sftp-server' TargetFilename|endswith: '.filepart' - EventID: '23' + EventID: 23 + condition: selection falsepositives: - Legitimate use of the commands by administrators or system processes (excluding Wazuh) From f8c763b04e70d2f6a95f775540843aba2ce1a4e5 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Fri, 29 Nov 2024 19:08:23 +0330 Subject: [PATCH 09/13] remove spaces --- .../proc_creation_lnx_exfiltration_data_sftp_winscp.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index 417820df6be..5f9c3802212 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -17,8 +17,7 @@ detection: selection: Image: '/usr/lib/openssh/sftp-server' TargetFilename|endswith: '.filepart' - EventID: 23 - + EventID: 23 condition: selection falsepositives: - Legitimate use of the commands by administrators or system processes (excluding Wazuh) From b8a2eaa30b3d6a20208bfbb6d1225a205a9417b5 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Fri, 29 Nov 2024 19:10:16 +0330 Subject: [PATCH 10/13] fix all issue --- .../proc_creation_lnx_exfiltration_data_sftp_winscp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index 5f9c3802212..240e53b8a72 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -17,7 +17,7 @@ detection: selection: Image: '/usr/lib/openssh/sftp-server' TargetFilename|endswith: '.filepart' - EventID: 23 + EventID: 23 condition: selection falsepositives: - Legitimate use of the commands by administrators or system processes (excluding Wazuh) From 1bad8002103941a96cf2ea2cd3525c1fd69bee49 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Fri, 29 Nov 2024 19:25:09 +0330 Subject: [PATCH 11/13] maybe this work --- .../proc_creation_lnx_exfiltration_data_sftp_winscp.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index 240e53b8a72..7237c1c6291 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -12,10 +12,10 @@ tags: logsource: category: process_creation product: linux - service: sysmon + service: syslog detection: selection: - Image: '/usr/lib/openssh/sftp-server' + Image|contains: 'openssh/sftp-server' TargetFilename|endswith: '.filepart' EventID: 23 condition: selection From 0099e5778d3170229f616863a7216ede7c79a9e1 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Tue, 10 Dec 2024 11:10:36 +0330 Subject: [PATCH 12/13] Fix title --- .../proc_creation_lnx_exfiltration_data_sftp_winscp.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index 7237c1c6291..e5fe5406b7a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -1,6 +1,6 @@ -title: Exfiltration data using the WinScp tool. (SFTP File Transfer) +title: Exfiltration data using the WinScp tool - (SFTP File Transfer) id: 8ea5903c-815e-465b-a697-016902988414 -status: test +status: experimental description: The attacker may use the WinScp tool to exfiltrate data from the victim's system. This rule helps to identify data being exfiltrated through the SFTP protocol. (When using the WinScp tool, the SFTP protocol is used in the background to transfer data.) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md @@ -12,12 +12,10 @@ tags: logsource: category: process_creation product: linux - service: syslog detection: selection: Image|contains: 'openssh/sftp-server' TargetFilename|endswith: '.filepart' - EventID: 23 condition: selection falsepositives: - Legitimate use of the commands by administrators or system processes (excluding Wazuh) From 1c19aca2afd02c455300b276f859c677af0a95b9 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Tue, 10 Dec 2024 11:13:16 +0330 Subject: [PATCH 13/13] fix TargetFileName --- .../proc_creation_lnx_exfiltration_data_sftp_winscp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml index e5fe5406b7a..654e5cc202b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml @@ -15,7 +15,7 @@ logsource: detection: selection: Image|contains: 'openssh/sftp-server' - TargetFilename|endswith: '.filepart' + TargetFileName|endswith: '.filepart' condition: selection falsepositives: - Legitimate use of the commands by administrators or system processes (excluding Wazuh)