Suspicious Content Extracted or Decompressed via Funzip

Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/06/26"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/26"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility.
13Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The
14output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is
15consistent with malware families such as Bundlore.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*", "endgame-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Suspicious Content Extracted or Decompressed via Funzip"
22references = [
23  "https://attack.mitre.org/software/S0482/"
24]
25risk_score = 47
26rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31query = '''
32process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
33((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and
34not process.args : "/var/log/messages" and 
35not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and
36not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*")
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[rule.threat.tactic]
43name = "Execution"
44id = "TA0002"
45reference = "https://attack.mitre.org/tactics/TA0002/"
46
47[[rule.threat.technique]]
48id = "T1059"
49name = "Command and Scripting Interpreter"
50reference = "https://attack.mitre.org/techniques/T1059/"
51
52[[rule.threat.technique.subtechnique]]
53name = "Unix Shell"
54id = "T1059.004"
55reference = "https://attack.mitre.org/techniques/T1059/004/"
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59
60[rule.threat.tactic]
61name = "Defense Evasion"
62id = "TA0005"
63reference = "https://attack.mitre.org/tactics/TA0005/"
64
65[[rule.threat.technique]]
66name = "Obfuscated Files or Information"
67id = "T1027"
68reference = "https://attack.mitre.org/techniques/T1027/"
69
70[[rule.threat.technique]]
71name = "Deobfuscate/Decode Files or Information"
72id = "T1140"
73reference = "https://attack.mitre.org/techniques/T1140/"

References

Related rules

to-top