Suspicious Content Extracted or Decompressed via Funzip
Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/26"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/26"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility.
13Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The
14output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is
15consistent with malware families such as Bundlore.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*", "endgame-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Suspicious Content Extracted or Decompressed via Funzip"
22references = [
23 "https://attack.mitre.org/software/S0482/"
24]
25risk_score = 47
26rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31query = '''
32process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
33((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and
34not process.args : "/var/log/messages" and
35not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and
36not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*")
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[rule.threat.tactic]
43name = "Execution"
44id = "TA0002"
45reference = "https://attack.mitre.org/tactics/TA0002/"
46
47[[rule.threat.technique]]
48id = "T1059"
49name = "Command and Scripting Interpreter"
50reference = "https://attack.mitre.org/techniques/T1059/"
51
52[[rule.threat.technique.subtechnique]]
53name = "Unix Shell"
54id = "T1059.004"
55reference = "https://attack.mitre.org/techniques/T1059/004/"
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59
60[rule.threat.tactic]
61name = "Defense Evasion"
62id = "TA0005"
63reference = "https://attack.mitre.org/tactics/TA0005/"
64
65[[rule.threat.technique]]
66name = "Obfuscated Files or Information"
67id = "T1027"
68reference = "https://attack.mitre.org/techniques/T1027/"
69
70[[rule.threat.technique]]
71name = "Deobfuscate/Decode Files or Information"
72id = "T1140"
73reference = "https://attack.mitre.org/techniques/T1140/"
References
-
Enterprise T1098 .004 Account Manipulation: SSH Authorized Keys Bundlore creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login.[1] En...
Read More
Related rules
- BPF filter applied using TC
- Binary Executed from Shared Memory Directory
- Cron Job Created or Changed by Previously Unknown Process
- Interactive Terminal Spawned via Perl
- Interactive Terminal Spawned via Python