UNC4841 - Email Exfiltration File Pattern
Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
Sigma rule (View on GitHub)
1title: UNC4841 - Email Exfiltration File Pattern
2id: 0785f462-60b0-4031-9ff4-b4f3a0ba589a
3status: test
4description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
5references:
6 - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/06/16
9tags:
10 - attack.execution
11 - attack.persistence
12 - attack.defense_evasion
13 - detection.emerging_threats
14logsource:
15 product: linux
16 category: file_event
17detection:
18 selection:
19 TargetFilename|re: '/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\.tar\.gz'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
-
On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that the...
Read More
Related rules
- UNC4841 - Barracuda ESG Exploitation Indicators
- Goofy Guineapig Backdoor IOC
- Potential Qakbot Rundll32 Execution
- Qakbot Rundll32 Exports Execution
- Qakbot Rundll32 Fake DLL Extension Execution