UNC4841 - Barracuda ESG Exploitation Indicators

calendar Aug 12, 2024 · attack.execution attack.persistence attack.defense-evasion detection.emerging-threats  ·
Share on: linkedin copy

Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.

Sigma rule (View on GitHub)

 1title: UNC4841 - Barracuda ESG Exploitation Indicators
 2id: 5627c337-a9b2-407a-a82d-5fd97035ff39
 3status: test
 4description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
 5references:
 6    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-06-16
 9tags:
10    - attack.execution
11    - attack.persistence
12    - attack.defense-evasion
13    - detection.emerging-threats
14logsource:
15    product: linux
16    category: file_event
17detection:
18    selection:
19        TargetFilename|endswith:
20            - '/11111.tar'
21            - '/aacore.sh'
22            - '/appcheck.sh'
23            - '/autoins'
24            - '/BarracudaMailService'
25            - '/etc/cron.daily/core_check.sh'
26            - '/etc/cron.daily/core.sh'
27            - '/etc/cron.hourly/aacore.sh'
28            - '/etc/cron.hourly/appcheck.sh'
29            - '/etc/cron.hourly/core.sh'
30            - '/get_fs_info.pl'
31            - '/imgdata.jpg'
32            - '/install_att_v2.tar'
33            - '/install_bvp74_auth.tar'
34            - '/install_helo.tar'
35            - '/install_reuse.tar'
36            - '/intent_helo'
37            - '/intent_reuse'
38            - '/intentbas'
39            - '/mknod'
40            - '/mod_attachment.lua'
41            - '/mod_content.lua'
42            - '/mod_require_helo.lua'
43            - '/mod_rtf'
44            - '/mod_sender.lua'
45            - '/mod_udp.so'
46            - '/nfsd_stub.ko'
47            - '/resize_reisertab'
48            - '/resize_risertab'
49            - '/resize2fstab'
50            - '/rverify'
51            - '/saslautchd'
52            - '/sendscd'
53            - '/snapshot.tar'
54            - '/tmp/p'
55            - '/tmp/p7'
56            - '/tmp/t'
57            - '/update_v2.sh'
58            - '/update_v31.sh'
59            - '/update_v35.sh'
60            - '/update_version'
61    condition: selection
62falsepositives:
63    - Unlikely
64level: high

References

Related rules

to-top