Potentially Suspicious Malware Callback Communication - Linux

Detects programs that connect to known malware callback ports based on threat intelligence reports.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Malware Callback Communication - Linux
 2id: dbfc7c98-04ab-4ab7-aa94-c74d22aa7376
 3related:
 4    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
 5      type: derived
 6status: experimental
 7description: |
 8        Detects programs that connect to known malware callback ports based on threat intelligence reports.
 9references:
10    - https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
11    - https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team
12    - https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
13    - https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
14    - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
15author: hasselj
16date: 2024-05-10
17tags:
18    - attack.persistence
19    - attack.command-and-control
20    - attack.t1571
21logsource:
22    category: network_connection
23    product: linux
24detection:
25    selection:
26        Initiated: 'true'
27        DestinationPort:
28            - 888
29            - 999
30            - 2200
31            - 2222
32            - 4000
33            - 4444
34            - 6789
35            - 8531
36            - 50501
37            - 51820
38    filter_main_local_ranges:
39        DestinationIp|cidr:
40            - '127.0.0.0/8'
41            - '10.0.0.0/8'
42            - '172.16.0.0/12'
43            - '192.168.0.0/16'
44            - '169.254.0.0/16'
45            - '::1/128'         # IPv6 loopback
46            - 'fe80::/10'       # IPv6 link-local addresses
47            - 'fc00::/7'        # IPv6 private addresses
48    condition: selection and not 1 of filter_main_*
49falsepositives:
50    - Unknown
51level: high

References

Related rules

to-top