Suspicious Content Extracted or Decompressed via Funzip

  1[metadata]
  2creation_date = "2023/06/26"
  3integration = ["endpoint", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility.
 11Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The
 12output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is
 13consistent with malware families such as Bundlore.
 14"""
 15from = "now-9m"
 16index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Suspicious Content Extracted or Decompressed via Funzip"
 20note = """## Triage and analysis
 21
 22> **Disclaimer**:
 23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 24
 25### Investigating Suspicious Content Extracted or Decompressed via Funzip
 26
 27Funzip is a utility used to decompress files directly from a stream, often employed in legitimate data processing tasks. However, adversaries can exploit this by combining it with the 'tail' command to extract and execute malicious payloads stealthily. The detection rule identifies this misuse by monitoring specific command sequences and excluding benign processes, thus flagging potential threats for further investigation.
 28
 29### Possible investigation steps
 30
 31- Review the process details to confirm the presence of the 'tail' and 'funzip' command sequence, focusing on the specific arguments used, such as "-c", to understand the context of the command execution.
 32- Examine the parent process information to determine if the process was initiated by any known benign executables or scripts, specifically checking against the exclusion list like "/usr/bin/dracut" or "/sbin/dracut".
 33- Investigate the command line history and execution context of the parent process, especially if it involves "sh" or "sudo", to identify any suspicious patterns or unauthorized script executions.
 34- Check the file path and content being accessed by the 'tail' command to ensure it is not targeting sensitive or unexpected files, excluding known benign paths like "/var/log/messages".
 35- Correlate the event with other security alerts or logs from the same host to identify any related suspicious activities or patterns that might indicate a broader compromise.
 36- Assess the risk and impact by determining if the decompressed content was executed or if it led to any subsequent suspicious processes or network connections.
 37
 38### False positive analysis
 39
 40- Legitimate system maintenance tasks may trigger this rule if they involve decompressing logs or data files using funzip. To manage this, identify and exclude specific maintenance scripts or processes that are known to use funzip in a non-threatening manner.
 41- Automated backup or data processing operations might use funzip in combination with tail for legitimate purposes. Review these operations and add exceptions for known benign processes or scripts that match this pattern.
 42- Security tools or monitoring solutions like Nessus may inadvertently trigger this rule if they use similar command sequences for scanning or data collection. Exclude these tools by adding exceptions for their specific command lines or parent processes.
 43- Custom scripts developed in-house for data analysis or processing might use funzip and tail together. Document these scripts and exclude them from the rule to prevent false positives, ensuring they are reviewed and approved by security teams.
 44
 45### Response and remediation
 46
 47- Immediately isolate the affected system from the network to prevent further spread of the potential malware.
 48- Terminate any suspicious processes identified by the detection rule, specifically those involving the 'tail' and 'funzip' command sequence.
 49- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads.
 50- Review and analyze system logs and command history to identify any unauthorized access or additional malicious activities that may have occurred.
 51- Restore any compromised files or systems from known good backups to ensure integrity and availability of data.
 52- Implement application whitelisting to prevent unauthorized execution of utilities like 'funzip' and 'tail' by non-administrative users.
 53- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures."""
 54references = ["https://attack.mitre.org/software/S0482/"]
 55risk_score = 47
 56rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66"
 57setup = """## Setup
 58
 59This rule requires data coming in from Elastic Defend.
 60
 61### Elastic Defend Integration Setup
 62Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 63
 64#### Prerequisite Requirements:
 65- Fleet is required for Elastic Defend.
 66- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 67
 68#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 69- Go to the Kibana home page and click "Add integrations".
 70- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 71- Click "Add Elastic Defend".
 72- Configure the integration name and optionally add a description.
 73- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 74- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 75- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 76- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 77For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 78- Click "Save and Continue".
 79- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 80For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 81"""
 82severity = "medium"
 83tags = [
 84    "Domain: Endpoint",
 85    "OS: Linux",
 86    "Use Case: Threat Detection",
 87    "Tactic: Execution",
 88    "Data Source: Elastic Endgame",
 89    "Data Source: Elastic Defend",
 90    "Data Source: SentinelOne",
 91    "Resources: Investigation Guide",
 92]
 93timestamp_override = "event.ingested"
 94type = "eql"
 95
 96query = '''
 97process where host.os.type == "linux" and event.action in ("exec", "exec_event", "start") and
 98((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and
 99not process.args : "/var/log/messages" and
100not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and
101not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*")
102'''
103
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1059"
109name = "Command and Scripting Interpreter"
110reference = "https://attack.mitre.org/techniques/T1059/"
111[[rule.threat.technique.subtechnique]]
112id = "T1059.004"
113name = "Unix Shell"
114reference = "https://attack.mitre.org/techniques/T1059/004/"
115
116
117
118[rule.threat.tactic]
119id = "TA0002"
120name = "Execution"
121reference = "https://attack.mitre.org/tactics/TA0002/"
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1027"
126name = "Obfuscated Files or Information"
127reference = "https://attack.mitre.org/techniques/T1027/"
128
129[[rule.threat.technique]]
130id = "T1140"
131name = "Deobfuscate/Decode Files or Information"
132reference = "https://attack.mitre.org/techniques/T1140/"
133
134
135[rule.threat.tactic]
136id = "TA0005"
137name = "Defense Evasion"
138reference = "https://attack.mitre.org/tactics/TA0005/"