UNC4841 - Potential SEASPY Execution
Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
Sigma rule (View on GitHub)
1title: UNC4841 - Potential SEASPY Execution
2id: f6a711f3-d032-4f9e-890b-bbe776236c84
3status: test
4description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
5references:
6 - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/06/16
9tags:
10 - attack.execution
11 - detection.emerging_threats
12logsource:
13 product: linux
14 category: process_creation
15detection:
16 selection:
17 Image|endswith:
18 - '/BarracudaMailService'
19 - '/resize2fstab'
20 - '/resize_reisertab'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: critical
References
Related rules
- UNC4841 - Barracuda ESG Exploitation Indicators
- UNC4841 - Email Exfiltration File Pattern
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
- Droppers Exploiting CVE-2017-11882
- Goofy Guineapig Backdoor IOC