├── suricata ├── qbot_dec_2023.rules └── InfamousChisel.rules ├── sigma ├── T1574.001 │ ├── readme.txt │ └── shadowpad_dropped_dll_loader.yaml ├── t1105 │ ├── readme.txt │ └── MSSQL_BCP_Utility_Abuse.yaml ├── t1218.011 │ ├── README.txt │ └── qbot_Dec_2023.yaml ├── TA0002 │ ├── readme.txt │ └── ransomware │ │ └── PDQRunner.yaml ├── t1059 │ ├── README.txt │ └── CVE-2023-38831.yaml ├── T1543.001 │ ├── readme.txt │ └── launchagent.yml ├── T1574.012 │ ├── readme.txt │ └── cor_profiler_via_cmdline.yml ├── T1543.003 │ ├── readme.txt │ ├── ransomware │ │ └── PDQRunner.yaml │ └── APT │ │ └── deeppanda.yaml ├── T1570 │ ├── readme.txt │ └── malware │ │ └── CobaltStrike │ │ └── CSAK_default_binaries_named_pipe.yaml ├── T1548.002 │ ├── readme.txt │ └── UAC_bypass_by_registry_set.yaml ├── T1049 │ ├── README.txt │ └── wifi_enumeration.yaml ├── emotet │ └── 12_2020 │ │ └── sigma.yaml ├── CVE │ └── CVE-2022-34713.yaml ├── t1562.001 │ ├── crond.yml │ └── README.txt ├── APT │ └── APT29 │ │ └── detection.yml ├── Spring4Shell.yaml ├── T1190 │ ├── CVE-2024-40711.yaml │ └── README.txt ├── T1005 │ └── ram_capture.yml ├── t1068 │ └── CVE-2025-53136.yml └── attack.t1059.008 │ └── CISA_AA25-239A.yaml └── yara ├── HetropoRyuk.yar ├── generic └── nirsoft.yar ├── spyware └── triangleDB.yar ├── ransomware ├── ESXiArgs.yar └── blackbasta │ └── yara.yar ├── APT └── Wiper │ └── ZeroCleare.yar ├── SevenZip_LZMA_RCNORM_BF_EXPLOIT.yar ├── CVE-2021-27065.yar ├── scienron └── Scarab_Scieron_928322_10913.yar └── loaders └── darkgate.yar /suricata/qbot_dec_2023.rules: -------------------------------------------------------------------------------- 1 | alert http $HOME_NET any -> any $EXTERNAL_NET (msg:"ET Potential QBot C2 beaconing"; flow:established,to_server; content:"POST"; http.method; content:"/teorema505"; http.uri; tls.protocols; sid:xxxxxxx; rev:1;) 2 | -------------------------------------------------------------------------------- /sigma/T1574.001/readme.txt: -------------------------------------------------------------------------------- 1 | T1574.001 2 | 3 | Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. 4 | Windows systems use a common method to look for required DLLs to load into a program. 5 | Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. 6 | 7 | source: attack.mitre.org 8 | -------------------------------------------------------------------------------- /sigma/t1105/readme.txt: -------------------------------------------------------------------------------- 1 | Adversaries may transfer tools or other files from an external system into a compromised environment. 2 | Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. 3 | Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer). 4 | 5 | Source: MITRE 6 | -------------------------------------------------------------------------------- /sigma/t1218.011/README.txt: -------------------------------------------------------------------------------- 1 | T1218.011 2 | 3 | Adversaries may abuse rundll32.exe to proxy execution of malicious code. 4 | Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. 5 | Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}). 6 | 7 | Source: MITRE ATT&CK 8 | -------------------------------------------------------------------------------- /sigma/TA0002/readme.txt: -------------------------------------------------------------------------------- 1 | TA002 2 | 3 | The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. 4 | Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. 5 | For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. 6 | 7 | Credits: MITRE ATT&CK 8 | -------------------------------------------------------------------------------- /sigma/t1059/README.txt: -------------------------------------------------------------------------------- 1 | Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. 2 | 3 | These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. 4 | 5 | Source: MITRE 6 | -------------------------------------------------------------------------------- /sigma/T1543.001/readme.txt: -------------------------------------------------------------------------------- 1 | attack.t1543 2 | 3 | Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. 4 | When operating systems boot up, they can start processes that perform background system functions. 5 | On Windows and Linux, these system processes are referred to as services. 6 | On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters. 7 | 8 | Source: https://attack.mitre.org/ 9 | -------------------------------------------------------------------------------- /sigma/T1574.012/readme.txt: -------------------------------------------------------------------------------- 1 | T1574.012 - COR_PROFILER 2 | 3 | Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. 4 | The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). 5 | These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. 6 | 7 | Source: https://attack.mitre.org/ 8 | -------------------------------------------------------------------------------- /sigma/T1543.003/readme.txt: -------------------------------------------------------------------------------- 1 | attack.t1543.003 2 | 3 | Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. 4 | When Windows boots up, it starts programs or applications called services that perform background system functions. 5 | Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. 6 | Service configurations can be modified using utilities such as sc.exe and Reg. 7 | 8 | source: attack.mitre.org 9 | -------------------------------------------------------------------------------- /sigma/T1570/readme.txt: -------------------------------------------------------------------------------- 1 | Adversaries may transfer tools or other files between systems in a compromised environment. 2 | Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. 3 | Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing 4 | over SMB to connected network shares or with authenticated connections with SMB/Windows Admin Shares or Remote Desktop Protocol. 5 | Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. 6 | 7 | source: attack.mitre.org 8 | -------------------------------------------------------------------------------- /sigma/T1548.002/readme.txt: -------------------------------------------------------------------------------- 1 | T1548.002 2 | 3 | Adversaries may bypass UAC mechanisms to elevate process privileges on system. 4 | Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. 5 | The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. 6 | 7 | source: attack.mitre.org 8 | -------------------------------------------------------------------------------- /yara/HetropoRyuk.yar: -------------------------------------------------------------------------------- 1 | rule HetropoRyuk_Ransomware_827322_00001 { 2 | meta: 3 | description = "Detects Hetropo Ryuk .Net variants" 4 | author = "Emanuele De Lucia" 5 | hash1 = "ad8cbada036d76a3c003c19d56ec611db24fb9ef1ed51a1e18fae13683a6fbab" 6 | tlp = "white" 7 | strings: 8 | $ = "Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com" fullword wide 9 | $ = "All of your files have been encrypted" fullword wide 10 | $ = "appMutex" fullword ascii 11 | $ = "read_it.txt" fullword wide 12 | $ = "How do I pay, where do I get Bitcoin?" fullword wide 13 | condition: uint16(0) == 0x5a4d and all of them 14 | } 15 | -------------------------------------------------------------------------------- /yara/generic/nirsoft.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This rule detects software released by NirSfot via Copyright in file information; 3 | NirSoft software can be abused by threat actor for network-scanning and credential-dumping tasks (ChromePass,DialupPass,MailPassView,NetRouteView etc.etc.); 4 | falsepositives: legitimate use of NirSoft softwares; 5 | */ 6 | 7 | rule NirSoft_Software_82733_00001 { 8 | meta: 9 | author = "Emanuele De Lucia" 10 | tlp = "white" 11 | description = "Detects software released by Nir Sofer via Copyright" 12 | level = "medium" 13 | strings: 14 | $mz = {4d5a} 15 | $cr = /Copyright \xA9 [0-9]{4} - [0-9]{4} Nir Sofer/ wide 16 | condition: $mz at 0 and $cr 17 | } 18 | -------------------------------------------------------------------------------- /sigma/T1049/README.txt: -------------------------------------------------------------------------------- 1 | attack.t1049 2 | 3 | Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. 4 | An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. 5 | The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. 6 | 7 | Source: https://attack.mitre.org/ 8 | -------------------------------------------------------------------------------- /sigma/T1543.003/ransomware/PDQRunner.yaml: -------------------------------------------------------------------------------- 1 | title: PDQRunner Service Installation 2 | description: Detects the installation of PDQRunner via (eventid) 3 | reference: 4 | - https://www.virustotal.com/gui/file/bb28dd64a8ebd8dc3d949f75ba48847db6326d45fe358ff094e2cf0930538426/detection 5 | author: Emanuele De Lucia 6 | status: experimental 7 | tags: 8 | - attack.persistence 9 | - attack.privilege_execution 10 | - attack.t1543.003 11 | logsource: 12 | product: windows 13 | service: system 14 | detection: 15 | c1: 16 | EventID: 17 | - 7045 18 | ImagePath|contains: 'PDQRunner' 19 | condition: c1 20 | falsepositives: 21 | - Administrative and / or legitimate installation of PDQRunner 22 | level: medium 23 | -------------------------------------------------------------------------------- /yara/spyware/triangleDB.yar: -------------------------------------------------------------------------------- 1 | rule TriangleDB_SpyWare_98345_00001 { 2 | meta: 3 | description = "Detects TriangleDB variants by internal strings" 4 | author = "Emanuele De Lucia" 5 | reference = "https://securelist.com/triangledb-triangulation-implant/110050/" 6 | date = "2023-06-21" 7 | hash1 = "fd9e97cfb55f9cfb5d3e1388f712edd952d902f23a583826ebe55e9e322f730f" 8 | score = 100 9 | strings: 10 | $ = "unmungeHexString:" 11 | $ = "getCInfoForDump" 12 | $ = "encryptData:withCompression:errorCode:" 13 | $ = "CRXBlank" 14 | $ = "CRXQuery" 15 | condition: 16 | uint16(0) == 0xfacf and 17 | filesize < 2000KB and 18 | all of them 19 | } 20 | -------------------------------------------------------------------------------- /sigma/emotet/12_2020/sigma.yaml: -------------------------------------------------------------------------------- 1 | title: Detects possible Geodo / Emotet implanter through CMDLINE - December 2020 2 | status: stable 3 | description: Detects possible Geodo / Emotet implanter through CMDLINE - December 2020 4 | author: Emanuele De Lucia 5 | references: 6 | - internal research 7 | tags: 8 | - attack.t1047 9 | - attack.t1064 10 | date: 2020/12/25 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | Image|endswith: 17 | - '\cmd.exe' 18 | CommandLine|contains|all: 19 | - 'cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file.' 20 | - '-w hidden -ENCOD' 21 | condition: selection 22 | level: high 23 | -------------------------------------------------------------------------------- /suricata/InfamousChisel.rules: -------------------------------------------------------------------------------- 1 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ANDROID MALWARE - Potential InfamousChisel InfoStealer C2 Traffic"; \ 2 | flow:established,to_server; \ 3 | content:"POST /server.php?ver="; \ 4 | http_uri; \ 5 | content:"&bid="; \ 6 | http_uri; \ 7 | content:"&type="; \ 8 | http_uri; \ 9 | content:"HTTP/1.1"; \ 10 | http_version; \ 11 | content:"User-Agent|3A| curl/7.47"; \ 12 | http_header; \ 13 | reference:url,https://www.cisa.gov/news-events/analysis-reports/ar23-243a; \ 14 | reference:url,https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/infamous-chisel/NCSC-MAR-Infamous-Chisel.pdf; \ 15 | sid:xxxxxxx; \ 16 | rev:1;) 17 | -------------------------------------------------------------------------------- /sigma/T1570/malware/CobaltStrike/CSAK_default_binaries_named_pipe.yaml: -------------------------------------------------------------------------------- 1 | title: Detects default CobaltStrike artifact kit named pipe by (pattern_regex) 2 | status: stable 3 | description: Detects default CobaltStrike artifact kit named pipe by (pattern_regex) 4 | references: 5 | - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ 6 | date: 2022/04/04 7 | author: Emanuele De Lucia 8 | tags: 9 | - attack.defense_evasion 10 | - attack.privilege_escalation 11 | - attack.t1570 12 | logsource: 13 | product: windows 14 | category: pipe_created 15 | detection: 16 | selection: 17 | - PipeName|re: '\MSSE-[0-9]{4}-server' 18 | condition: selection 19 | falsepositives: 20 | - unlikely 21 | level: high 22 | -------------------------------------------------------------------------------- /yara/ransomware/ESXiArgs.yar: -------------------------------------------------------------------------------- 1 | rule ESXiArgs_Ransomware_72633_00001 { 2 | meta: 3 | description = "Detects ESXiArgs variants by internal strings" 4 | author = "Emanuele De Lucia" 5 | date = "2023-02-04" 6 | hash1 = "11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66" 7 | score = 100 8 | strings: 9 | $ = "[ %s ] - FAIL" fullword ascii 10 | $ = "get_pk_data: key file is empty!" fullword ascii 11 | $ = "lPEM_read_bio_RSAPrivateKey" fullword ascii 12 | $ = "lRSA_public_encrypt" fullword ascii 13 | $ = "usage: encrypt [] [] []" fullword ascii 14 | condition: 15 | uint16(0) == 0x457f and 16 | filesize < 100KB and 17 | all of them 18 | } 19 | -------------------------------------------------------------------------------- /yara/APT/Wiper/ZeroCleare.yar: -------------------------------------------------------------------------------- 1 | rule APT_ZeroCleare_87211_00387 { 2 | meta: 3 | description = "Detects ZeroCleare wiper variants by internal strings" 4 | author = "Emanuele De Lucia" 5 | tlp = "white" 6 | hash1 = "d8ec8ec8dfa582c44e81b8a7fcc44defc3d2fa658f75fa495124aedc3b0db367" 7 | hash2 = "e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0" 8 | strings: 9 | $ = "SOFTWARE\\EldoS\\EventLog" fullword wide 10 | $ = ".?AVERDError@@" fullword ascii 11 | $ = "RawDisk3" fullword wide 12 | $ = "\\\\?\\RawDisk3" fullword wide 13 | $ = " delete[]" fullword ascii 14 | $ = "###RawDisk3AMD64###" fullword ascii 15 | condition: 16 | uint16(0) == 0x5a4d and 17 | filesize < 300KB and 18 | all of them 19 | } 20 | -------------------------------------------------------------------------------- /yara/SevenZip_LZMA_RCNORM_BF_EXPLOIT.yar: -------------------------------------------------------------------------------- 1 | rule SevenZip_LZMA_RCNORM_BF_EXPLOIT { 2 | meta: 3 | description = "Detects weaponized 7zip archives exploiting malformed LZMA stream" 4 | author = "Emanuele De Lucia" 5 | date = "2024-12-30" 6 | reference = "https://x.com/NSA_Employee39/status/1873644808998367272" 7 | score = 90 8 | strings: 9 | $header = { 37 7A BC AF 27 1C 00 04 03 5B A8 6F 25 00 00 00 00 00 00 00 8F 00 00 00 00 00 00 00 } 10 | $lzma_props = { 5D 00 00 00 01 00 } 11 | $lzma_stream = { FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 } 12 | $prologue = { 55 89 E5 83 EC 08 } 13 | $mov = { C7 04 24 } 14 | $padding = { CC CC CC 89 EC 5D C3 } 15 | condition: 16 | $header and 17 | $lzma_props and 18 | $lzma_stream and 19 | ($prologue and $mov and $padding) 20 | } 21 | -------------------------------------------------------------------------------- /sigma/T1049/wifi_enumeration.yaml: -------------------------------------------------------------------------------- 1 | title: Possible network information discovery by WiFi enumeration (via cmdline) 2 | status: stable 3 | description: Possible WiFi network enumeration (via cmdline) 4 | id: 4585d459-d403-4b56-94bd-3086383c1a9b 5 | references: 6 | - internal research 7 | tags: 8 | - attack.discovery 9 | - attack.t1049 10 | author: Emanuele De Lucia 11 | date: 2021/05/20 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: 18 | - 'netsh.exe' 19 | CommandLine|contains|all: 20 | - 'wlan' 21 | - 'show networks' 22 | - 'mode=bssid' 23 | condition: selection 24 | falsepositives: 25 | - legitimate administrative tasks 26 | level: medium 27 | -------------------------------------------------------------------------------- /yara/CVE-2021-27065.yar: -------------------------------------------------------------------------------- 1 | rule OperaDLLSOH_CVE202127065_92877_27664 { 2 | meta: 3 | description = "Detects DLL SOH payload used during automated exploitation of Internet-facing Exchange servers - CVE-2021-27065" 4 | author = "Emanuele De Lucia" 5 | hash1 = "b212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff" 6 | strings: 7 | $s1 = "opera_browser.dll" fullword ascii 8 | $s2 = "opera_browser.png" fullword ascii 9 | $s3 = "OperaDllMain" fullword ascii 10 | $s4 = "operator<=>" fullword ascii 11 | $op1 = {68 dc 0c 01 10 ff 15 00 c0 00 10 50 ff 15 24 c0 00 10} 12 | $op2 = {6a 40 68 00 30 00 00 52 6a 00 89 45 fc ff 15 0c c0 00} 13 | condition: 14 | (uint16(0) == 0x5a4d and 15 | filesize < 100KB and 16 | (all of ($s*) or 17 | all of ($op*))) 18 | } 19 | -------------------------------------------------------------------------------- /sigma/T1548.002/UAC_bypass_by_registry_set.yaml: -------------------------------------------------------------------------------- 1 | title: Possible UAC bypass via registry (registry_set) 2 | status: stable 3 | description: Possible UAC bypass via registry (registry_set) 4 | author: Emanuele De Lucia 5 | date: 2022/05/03 6 | references: 7 | - internal research 8 | tags: 9 | - attack.defense_evasion 10 | logsource: 11 | product: windows 12 | category: registry_set 13 | detection: 14 | selection: 15 | EventType: SetValue 16 | TargetObject: 17 | - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA' 18 | - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin' 19 | Details: 'DWORD (0x00000000)' 20 | condition: selection 21 | falsepositives: 22 | - Administrative tasks that require UAC disabling 23 | level: high 24 | -------------------------------------------------------------------------------- /sigma/CVE/CVE-2022-34713.yaml: -------------------------------------------------------------------------------- 1 | title: Potential DogWalk exploitation via (process_creation) 2 | status: experimental 3 | description: Potential DogWalk exploitation via (process_creation) 4 | references: 5 | - internal research 6 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34713 7 | author: Emanuele De Lucia 8 | date: 2022/08/13 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection: 14 | Image|endswith: 15 | - '\msdt.exe' 16 | CommandLine|contains: 17 | - '/cab' 18 | - '.diagcab' 19 | except: 20 | CommandLine|contains: 21 | - 'MicrosoftProgram_Install_and_Uninstall' 22 | condition: selection and not except 23 | falsepositives: 24 | - administrative tasks 25 | level: high 26 | -------------------------------------------------------------------------------- /sigma/t1562.001/crond.yml: -------------------------------------------------------------------------------- 1 | title: Crond Backdoor - Suspicious file creation under /tmp/ folder (via file_event) 2 | id: aae26b76-1477-1237-811f-1a035b2bfa5e 3 | status: stable 4 | description: Detects the creation of /tmp/tmpA81e4gVs file used by the crond backdoor implementation of getaddrinfo function 5 | references: 6 | - https://securelist.com/backdoored-free-download-manager-linux-malware/110465/ 7 | author: Emanuele De Lucia 8 | date: 2023/09/13 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1562.001 12 | logsource: 13 | product: linux 14 | category: file_event 15 | detection: 16 | selection: 17 | TargetFilename: '/tmp/tmpA81e4gVs' 18 | condition: selection 19 | falsepositives: 20 | - Other applications creating a file having 'tmpA81e4gVs' as filename under /tmp/ 21 | level: high 22 | -------------------------------------------------------------------------------- /sigma/T1543.001/launchagent.yml: -------------------------------------------------------------------------------- 1 | title: Property list file creation under LaunchAgent or LaunchDaemon folders 2 | status: experimental 3 | description: Property list file creation under LaunchAgent or LaunchDaemon folders 4 | author: Emanuele De Lucia 5 | references: 6 | - internal research 7 | date: 2022/01/25 8 | logsource: 9 | category: file_event 10 | product: macos 11 | detection: 12 | s1: 13 | TargetFilename|contains|all: 14 | - 'Library' 15 | - 'LaunchAgents' 16 | s2: 17 | TargetFilename|contains|all: 18 | - 'Library' 19 | - 'LaunchDaemons' 20 | s3: 21 | TargetFilename|endswith: 22 | - '.plist' 23 | condition: (s1 or s2) and s3 24 | falsepositives: 25 | - legitimate administration activities 26 | level: medium 27 | tags: 28 | - attack.persistence 29 | - attack.t1543.001 30 | - attack.t1543.004 31 | -------------------------------------------------------------------------------- /sigma/T1543.003/APT/deeppanda.yaml: -------------------------------------------------------------------------------- 1 | title: Installation of potentially malicious services as per the names used by DeepPanda / APT19 2 | description: Installation of potentially malicious services as per the names used by DeepPanda / APT19 3 | author: Emanuele De Lucia 4 | date: 2022/03/31 5 | reference: 6 | - https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits 7 | tags: 8 | - attack.persistence 9 | status: stable 10 | logsource: 11 | product: windows 12 | service: security 13 | detection: 14 | condition: selection 15 | selection: 16 | EventID: 17 | - '4697' 18 | ServiceName: 19 | - 'msupdate2' 20 | - 'WebService' 21 | - 'alg' 22 | - 'msupdate' 23 | - 'msupdateday' 24 | - 'DigaTrack' 25 | fields: 26 | - ServiceName 27 | falsepositives: 28 | - Legit services that present the same names 29 | level: medium 30 | -------------------------------------------------------------------------------- /sigma/t1218.011/qbot_Dec_2023.yaml: -------------------------------------------------------------------------------- 1 | title: Detect suspicious rundll32 execution from installer directory via (process_creation) 2 | id: be4590e4-9cc7-11ee-8c90-0242ac120002 3 | status: experimental 4 | references: 5 | - internal research 6 | description: Detects suspicious rundll32 execution from the Installer directory. 7 | author: Emanuele De Lucia 8 | date: 2023/12/16 9 | tags: 10 | - attack.t1218.011 11 | - attack.defense_evasion 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|contains: 18 | - 'Installer' 19 | Image|endswith: 20 | - '.tmp' 21 | CommandLine|contains|all: 22 | - 'HideWindow' 23 | - 'rundll32' 24 | - 'AppData' 25 | - 'Roaming' 26 | - '.dll' 27 | condition: selection 28 | falsepositives: 29 | - legitimate software installations and/or configurations 30 | level: medium 31 | -------------------------------------------------------------------------------- /sigma/TA0002/ransomware/PDQRunner.yaml: -------------------------------------------------------------------------------- 1 | title: PDQRunner 2 | status: experimental 3 | description: Detects the use of PDQRunner via (process_creation) 4 | author: Emanuele De Lucia 5 | date: 2021/12/21 6 | logsource: 7 | category: process_creation 8 | product: windows 9 | detection: 10 | c1: 11 | Image|contains: 12 | - 'PDQRunner' 13 | - 'PDQDeployRunner' 14 | - 'PDQInventory' 15 | c2: 16 | OriginalFileName|contains: 17 | - 'PDQRunner' 18 | c3: 19 | Description|contains: 20 | - 'Remote process runner' 21 | c4: 22 | Image|endswith: 23 | - '\sc.exe' 24 | CommandLine|contains|all: 25 | - 'binpath' 26 | - 'create' 27 | - 'PDQRunner' 28 | condition: 1 of c* 29 | falsepositives: 30 | - Administrative and / or legitimate use of PDQRunner 31 | tags: 32 | - attack.execution 33 | level: medium 34 | -------------------------------------------------------------------------------- /sigma/APT/APT29/detection.yml: -------------------------------------------------------------------------------- 1 | title: Cozy Bear - Invitation - campaign DLL Side-Loading 2 | status: experimental 3 | description: Detects DLL Side-Loading potentially related to Cozy Bear - Invitation - campaign 4 | date: 2023/07/23 5 | tags: 6 | - attack.defense_evasion 7 | - attack.persistence 8 | - attack.privilege_escalation 9 | logsource: 10 | category: image_load 11 | product: windows 12 | detection: 13 | path: 14 | Image|startswith: 15 | - 'C:\windows\tasks\' 16 | Image|endswith: 17 | - '\msoev.exe' 18 | dll: 19 | ImageLoaded|endswith: 20 | - '\AppVIsvSubsystems64.dll' 21 | - '\mso.dll' 22 | ImageLoaded|startswith: 23 | - 'C:\windows\tasks\' 24 | Signed: 25 | - 'false' 26 | condition: (path and dll) 27 | falsepositives: 28 | - unknown 29 | level: high 30 | -------------------------------------------------------------------------------- /sigma/T1574.012/cor_profiler_via_cmdline.yml: -------------------------------------------------------------------------------- 1 | title: Attempts to detect potential COR_PROFILER environment variables manipulation via cmdline that could lead to execution flow hijacking 2 | date: 2021/07/22 3 | status: experimental 4 | author: Emanuele De Lucia 5 | description: Attempts to detect potential COR_PROFILER environment variables manipulation via cmdline that could lead to execution flow hijacking 6 | date: 2021/07/22 7 | references: 8 | - https://redcanary.com/blog/blue-mockingbird-cryptominer/ 9 | tags: 10 | - attack.t1574.012 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | cmdline: 16 | CommandLine|contains: 17 | - 'COR_ENABLE_PROFILING' 18 | - 'COR_PROFILER' 19 | - 'COR_PROFILER_PATH' 20 | condition: cmdline 21 | falsepositives: 22 | - legitimate administrative tasks 23 | level: medium 24 | -------------------------------------------------------------------------------- /sigma/Spring4Shell.yaml: -------------------------------------------------------------------------------- 1 | title: Potential Spring4Shell exploitation by .jsp file_create 2 | status: stable 3 | description: Detects the creation of .jsp webshell under the default webserver root according to PoC in references. 4 | references: 5 | - https://github.com/lunasec-io/Spring4Shell-POC/blob/master/exploit.py 6 | - https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ 7 | author: Emanuele De Lucia 8 | date: 2022/03/31 9 | tags: 10 | - attack.initial_access 11 | - attack.execution 12 | logsource: 13 | product: linux 14 | category: file_create 15 | detection: 16 | s1: 17 | - TargetFileName|contains: 'webapps/ROOT' 18 | s2: 19 | - TargetFilename|endswith: 'tomcatwar.jsp' 20 | - TargetFilename|endswith: 'shell.jsp' 21 | - TargetFilename|endswith: '0xd0m7.jsp' 22 | - TargetFilename|endswith: 'wpz.jsp' 23 | - TargetFilename|endswith: 'myshell.jsp' 24 | condition: s1 and s2 25 | falsepositives: 26 | - unlikely 27 | level: high 28 | -------------------------------------------------------------------------------- /yara/scienron/Scarab_Scieron_928322_10913.yar: -------------------------------------------------------------------------------- 1 | rule Scarab_Scieron_928322_10913 { 2 | meta: 3 | author = "Emanuele De Lucia" 4 | tlp = "white" 5 | hash1 = "7d905bedc48554a23c4630bf5163803488ac3f650082c728dc60a6724b2bb331" 6 | strings: 7 | /* 8 | 0x10001a40L 0FB708 movzx ecx, word ptr [eax] 9 | 0x10001a43L 6683F92C cmp cx, 0x2c 10 | 0x10001a47L 740C je 0x10001a55 11 | 0x10001a49L 6683F93B cmp cx, 0x3b 12 | 0x10001a4dL 7406 je 0x10001a55 13 | 0x10001a4fL 6683F97C cmp cx, 0x7c 14 | 0x10001a53L 7505 jne 0x10001a5a 15 | 0x10001a55L 33C9 xor ecx, ecx 16 | 0x10001a57L 668908 mov word ptr [eax], cx 17 | */ 18 | $mz = { 4d 5a } 19 | $hex = { 0f b7 08 66 83 f9 2c 74 0c 66 83 f9 3b 74 06 66 83 f9 7c 75 05 33 c9 66 89 08 } 20 | condition: ($mz at 0 and $hex) 21 | } 22 | -------------------------------------------------------------------------------- /sigma/t1059/CVE-2023-38831.yaml: -------------------------------------------------------------------------------- 1 | title: Potential exploitation of WinRAR vulnerability CVE-2023-38831 via (file_event) 2 | id: 698e61c8-59c6-4388-82f6-d00889be8c55 3 | related: 4 | status: experimental 5 | description: Detects the potential exploitation of CVE-2023-38831 looking at the creation of files with double extentions under %RARTMPDIR% 6 | references: 7 | - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/main/Part-1-Overview.md 8 | - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ 9 | author: Emanuele De Lucia 10 | date: 2023/08/28 11 | tags: 12 | - attack.t1059 13 | logsource: 14 | product: windows 15 | category: file_event 16 | detection: 17 | selection: 18 | TargetFilename|contains|all: 19 | - 'AppData' 20 | - 'Local' 21 | - 'Temp' 22 | - 'Rar$' 23 | TargetFilename|endswith: 24 | - '.pdf .cmd' 25 | - '.jpg .cmd' 26 | condition: selection 27 | falsepositives: 28 | - unknown 29 | level: high 30 | -------------------------------------------------------------------------------- /yara/ransomware/blackbasta/yara.yar: -------------------------------------------------------------------------------- 1 | rule BlackBasta_Ransomware_82733_00018 : eCRIME THREAT GROUP { 2 | meta: 3 | description = "Detects BlackBasta Ransomware payloads by common strings" 4 | author = "Emanuele De Lucia" 5 | hash1 = "ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e" 6 | hash2 = "7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a" 7 | hash3 = "5b6c3d277711d9f847be59b16fd08390fc07d3b27c7c6804e2170f456e9f1173" 8 | strings: 9 | $ = "Input is not valid base64-encoded data." fullword ascii 10 | $ = "(you should download and install TOR browser first https://torproject.org)" fullword ascii 11 | $ = "Done time: %.4f seconds, encrypted: %.4f gb" fullword ascii 12 | $ = "operator<=>" fullword ascii 13 | $ = ".data$rs" fullword ascii 14 | $ = "https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/" fullword ascii 15 | $ = "Error 755: " fullword ascii 16 | $ = "mpz_import: Nails not supported." fullword ascii 17 | condition: (uint16(0) == 0x5a4d and ( 6 of them )) 18 | } 19 | -------------------------------------------------------------------------------- /sigma/T1574.001/shadowpad_dropped_dll_loader.yaml: -------------------------------------------------------------------------------- 1 | title: ShadowPad implant via dropped dll loader (file_event) 2 | description: ShadowPad implant via dropped dll loader (file_event) 3 | author: Emanuele De Lucia 4 | date: 2022/02/18 5 | status: stable 6 | references: 7 | - https://www.secureworks.com/research/shadowpad-malware-analysis 8 | tags: 9 | - attack.defense_evasion 10 | - attack.privilege_escalation 11 | - attack.persistence 12 | - attack.t1574.001 13 | logsource: 14 | category: file_event 15 | product: windows 16 | detection: 17 | s1: 18 | TargetFilename|contains|all: 19 | - 'Users' 20 | - 'Roaming' 21 | s2: 22 | TargetFilename|contains: 23 | - 'ProgramData' 24 | - 'Program Files' 25 | s3: 26 | TargetFilename|endswith: 27 | - 'mscoree.dll' 28 | - 'hpqhvsei.dll' 29 | - 'secur32.dll' 30 | - 'tosbtkbd.dll' 31 | - 'log.dll' 32 | - 'iviewers.dll' 33 | condition: (s1 or s2) and s3 34 | falsepositives: 35 | - legitimate software that creates DLL files with same names under the same paths 36 | level: high 37 | -------------------------------------------------------------------------------- /sigma/t1562.001/README.txt: -------------------------------------------------------------------------------- 1 | Impair Defenses: Disable or Modify Tools 2 | 3 | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. 4 | 5 | This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. 6 | Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems. 7 | Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. 8 | For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection. 9 | 10 | Source: 11 | 12 | MITRE ATT&CK 13 | -------------------------------------------------------------------------------- /sigma/T1190/CVE-2024-40711.yaml: -------------------------------------------------------------------------------- 1 | title: Potential Veeam Backup Exploitation - Suspicious Process Spawn Detection (via process_creation) 2 | id: d26f7b76-e63d-45e8-87b6-dc1e43fbd1a2 3 | description: Detects suspicious processes spawned by Veeam Backup, indicating potential Veeam vulnerability exploitation, such as CVE-2024-40711. 4 | status: stable 5 | author: Emanuele De Lucia 6 | date: 2024/09/10 7 | references: 8 | - https://www.helpnetsecurity.com/2024/09/09/cve-2024-40711-exploited/ 9 | - https://censys.com/cve-2024-40711/ 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection: 15 | ParentImage|endswith: 16 | - '\Veeam.Backup.Service.exe' 17 | - '\Veeam.Agent.exe' 18 | Image|endswith: 19 | - '\cmd.exe' 20 | - '\powershell.exe' 21 | - '\wscript.exe' 22 | - '\cscript.exe' 23 | - '\mshta.exe' 24 | - '\rundll32.exe' 25 | - '\certutil.exe' 26 | condition: selection 27 | falsepositives: 28 | - Legitimate maintenance tasks while configuring or troubleshooting backups 29 | level: high 30 | tags: 31 | - attack.execution 32 | - attack.t1059 33 | - attack.t1218 34 | - attack.t1190 35 | -------------------------------------------------------------------------------- /sigma/T1190/README.txt: -------------------------------------------------------------------------------- 1 | Exploit Public-Facing Application: 2 | 3 | Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. 4 | 5 | Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.[1][2][3][4][5] Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution. 6 | 7 | If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies. 8 | 9 | Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses. 10 | 11 | Source: MITRE 12 | -------------------------------------------------------------------------------- /sigma/T1005/ram_capture.yml: -------------------------------------------------------------------------------- 1 | title: RAM Capture Softwares Execution or Drivers Load Detected 2 | id: 1f2a3c1e-7b9f-4d5a-8a21-1e9b0a3f7d4e 3 | status: stable 4 | description: Detects the execution of RAM Capture Softwares 5 | author: Emanuele De Lucia 6 | date: 2025/05/10 7 | modified: 2025/05/10 8 | references: 9 | - https://belkasoft.com/ram-capturer 10 | - https://www.magnetforensics.com/resources/magnet-ram-capture/ 11 | - https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/ 12 | tags: 13 | - attack.credential_access 14 | - attack.collection 15 | - attack.t1003.001 16 | - attack.t1005 17 | logsource: 18 | product: windows 19 | category: 20 | - process_creation 21 | - driver_load 22 | detection: 23 | selection_1: 24 | Image|endswith: 25 | - '\RAMCapture.exe' 26 | - '\RamCapture64.exe' 27 | - '\DumpIt.exe' 28 | - '\MRC.exe' 29 | - '\MRCv120.exe' 30 | OriginalFileName|endswith: 31 | - 'RAMCapture.exe' 32 | - 'RamCapture64.exe' 33 | - 'DumpIt.exe' 34 | - 'MRC.exe' 35 | - 'MRCv120.exe' 36 | selection_2: 37 | ImageLoaded|endswith: 38 | - '\RamCaptureDriver.sys' 39 | - '\RamCaptureDriver64.sys' 40 | condition: selection_1 or selection_2 41 | falsepositives: 42 | - Legitimate use by forensic investigators or incident response teams during an authorized investigation. 43 | - System administrators using the tool for approved diagnostic or memory acquisition purposes. 44 | level: high 45 | -------------------------------------------------------------------------------- /yara/loaders/darkgate.yar: -------------------------------------------------------------------------------- 1 | rule DarkGate_Loader_87233_00090 { 2 | meta: 3 | author = "Emanuele De Lucia" 4 | description = "Detects DarkGate loader by strings decryption routine" 5 | hash1 = "efe4dd6e9ec7f3d60a456a863d47a1624ca5354bd37f8a3a7c7a4dd4f68596f4" 6 | hash2 = "da05617eded07cec14d283b73336c4582b4e812c99c81da14c06f28d7432e0f9" 7 | hash3 = "4c84b3f2be74644fa8157b93471586fdaaaeab18a3b2732663e08ce7c12e20c6" 8 | hash4 = "e7b76e11101e35c46a7199851f82c69e819a3d856f6f68fa3af0636c3efde0ca" 9 | hash5 = "1a94ea3a5b595fa4758ab0e4a3a70a43631439d79d3e94f5f539b00b64d2a1e6" 10 | score = 80 11 | strings: 12 | $hex = { 55 8B EC 83 C4 ?? 53 56 57 33 C9 89 4D ?? 89 55 ?? 89 45 ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 ?? E8 ?? ?? ?? ?? 8B D0 8B 45 ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? BF ?? ?? ?? ?? 8D 5D ?? 8B 45 ?? E8 ?? ?? ?? ?? 3B F0 7E ?? C6 03 ?? EB ?? 8D 45 ?? 8B 55 ?? 8A 54 32 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 7D ?? C7 45 ?? ?? ?? ?? ?? 8A 45 ?? 48 88 03 46 43 4F 75 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8A 4D ?? 80 E1 ?? C1 E1 ?? 8A 5D ?? 80 E3 ?? 81 E3 ?? ?? ?? ?? C1 EB ?? 02 CB 88 4C 10 ?? FF 45 ?? 80 7D ?? ?? 74 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8A 4D ?? 80 E1 ?? C1 E1 ?? 8A 5D ?? 80 E3 ?? 81 E3 ?? ?? ?? ?? C1 EB ?? 02 CB 88 4C 10 ?? FF 45 ?? 80 7D ?? ?? 74 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8A 4D ?? 80 E1 ?? C1 E1 ?? 8A 5D ?? 80 E3 ?? 02 CB 88 4C 10 ?? FF 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 3B F0 0F 8E ?? ?? ?? ?? FF 4D ?? 8B 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 5F 5E 5B 8B E5 5D C3 } 13 | condition: 14 | $hex 15 | } 16 | -------------------------------------------------------------------------------- /sigma/t1105/MSSQL_BCP_Utility_Abuse.yaml: -------------------------------------------------------------------------------- 1 | title: MS-SQL BCP Utility Potential Abuse 2 | status: experimental 3 | description: Detects the potential abuse of MS-SQL BCP Utility to create files locally 4 | references: 5 | - https://asec.ahnlab.com/en/61000/ 6 | author: Emanuele De Lucia 7 | date: 2024/02/04 8 | tags: 9 | - attack.execution 10 | - attack.t1059.003 11 | - attack.t1105 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | cmdline: 17 | Image|endswith: 18 | - '\bcp.exe' 19 | Commandline|contains|all: 20 | - 'queryout' 21 | - 'select' 22 | - 'from' 23 | ext: 24 | Commandline|contains: 25 | - '.exe' 26 | - '.dll' 27 | - '.drv' 28 | - '.ps1' 29 | - '.jse' 30 | - '.scr' 31 | - '.js' 32 | - '.vhd' 33 | - '.msi' 34 | - '.wsf' 35 | - '.sys' 36 | - '.com' 37 | - '.img' 38 | - '.vbs' 39 | - '.bat' 40 | - '.cmd' 41 | path: 42 | Commandline|contains: 43 | - 'AppData' 44 | - 'Documents' 45 | - 'Downloads' 46 | - 'System32' 47 | - 'Music' 48 | - 'Pictures' 49 | - 'Videos' 50 | - 'Temp' 51 | - 'SysWOW64' 52 | - 'Tasks' 53 | - 'Debug' 54 | - 'ProgramData' 55 | - 'Program Files' 56 | - 'Program Files (x86)' 57 | condition: cmdline and ext and path 58 | falsepositives: 59 | - Legitimate administrative tasks 60 | level: high 61 | -------------------------------------------------------------------------------- /sigma/t1068/CVE-2025-53136.yml: -------------------------------------------------------------------------------- 1 | title: Potential CVE-2025-53136 Exploitation via NtQueryInformationToken Race Condition 2 | id: e16ac622-7884-494c-a5b4-6c1f682dcced 3 | status: experimental 4 | description: >- 5 | Detects potential exploitation of CVE-2025-53136 by identifying a high volume of 'NtQueryInformationToken' calls with the 'TokenAccessInformation' class from a single process that does not hold 'SeDebugPrivilege'. 6 | This behavior is a strong indicator of an attempt to win a race condition to leak kernel addresses and bypass KASLR. 7 | references: 8 | - https://www.crowdfense.com/nt-os-kernel-information-disclosure-vulnerability-cve-2025-53136/ 9 | author: Emanuele De Lucia 10 | date: 2025-09-16 11 | tags: 12 | - attack.t1055 13 | - attack.privilege_escalation 14 | - attack.t1068 15 | logsource: 16 | category: api_call # Warning: This rule requires a log source that can monitor API/syscalls and process token privileges. 17 | product: windows 18 | detection: 19 | selection: 20 | ApiCall: 'NtQueryInformationToken' 21 | Parameters|contains: 'TokenAccessInformation' 22 | filter: 23 | Privileges|contains: 'SeDebugPrivilege' 24 | condition: selection and not filter 25 | aggregation: 26 | by: ProcessGuid # Warning: should adapted (e.g., process.entity_id). 27 | timespan: 1m 28 | condition: count() > 100 29 | falsepositives: 30 | - The threshold of 100 calls per minute may need to be adjusted based on your environment's baseline. 31 | - Legitimate software without SeDebugPrivilege might unexpectedly call this function, but a high volume is highly suspicious. 32 | - To further reduce false positives, consider adding filters for processes running at 'Low' integrity level or in an 'AppContainer', as these are common contexts for exploit attempts. 33 | level: high 34 | -------------------------------------------------------------------------------- /sigma/attack.t1059.008/CISA_AA25-239A.yaml: -------------------------------------------------------------------------------- 1 | title: Cisco Guest Shell Abuse for Persistence and Execution 2 | id: 0d34b12a-6c8f-4a04-9a3b-3d61f1c7e9fa 3 | status: experimental 4 | description: | 5 | Detects commands related to the activation, access, and malicious use of the Guest Shell feature on Cisco IOS XE and NX-OS devices. 6 | This rule identifies not only the initial enabling and access commands but also subsequent suspicious activities within the shell, such as downloading external tools, modifying permissions, or establishing C2 channels. 7 | Threat actors leverage the Guest Shell as a containerized Linux environment to run arbitrary commands and pivot within a network, often evading traditional monitoring focused on the network OS itself. 8 | references: 9 | - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a 10 | author: Emanuele De Lucia 11 | date: 2025-09-04 12 | modified: 2025-09-04 13 | tags: 14 | - attack.execution 15 | - attack.persistence 16 | - attack.command_and_control 17 | - attack.t1609 18 | - attack.t1543.005 19 | - attack.t1059.008 20 | - attack.t1105 21 | logsource: 22 | product: cisco 23 | category: network_device_command # Generica per esecuzione comandi (e.s., via TACACS+, Syslog etc.) 24 | detection: 25 | selection_access: 26 | CommandLine|contains: 27 | - 'guestshell enable' 28 | - 'guestshell run bash' #IOS XE 29 | - 'run guestshell' #NX-OS 30 | selection_host_interaction: 31 | CommandLine|contains: 32 | - 'dohost' # NX-OS: Invoca comandi CLI 33 | - 'chvrf' 34 | selection_payload_execution: 35 | CommandLine|contains: 36 | - 'wget http' 37 | - 'curl -O http' 38 | - 'curl -o ' 39 | - 'chmod +x' 40 | - 'chmod 7' # e.s. chmod 777, 755 ... 41 | - 'nc -e /bin/bash' 42 | - 'ncat -e /bin/bash' 43 | - 'bash -i >& /dev/tcp/' 44 | - 'socat exec' 45 | condition: 1 of them 46 | falsepositives: 47 | - Legitimate network administrators may use the Guest Shell for advanced scripting, automation or management tasks. 48 | - Legitimate activation or execution involving tool downloads (`wget`, `curl`) or permission changes (`chmod`). These should be **always** cross-verified with change management and administrator activity logs. 49 | level: high 50 | --------------------------------------------------------------------------------