OS Architecture Discovery Via Grep
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
Sigma rule (View on GitHub)
1title: OS Architecture Discovery Via Grep
2id: d27ab432-2199-483f-a297-03633c05bae6
3status: test
4description: |
5 Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
6references:
7 - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
8 - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
9 - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
10 - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
11author: Joseliyo Sanchez, @Joseliyo_Jstnk
12date: 2023/06/02
13tags:
14 - attack.discovery
15 - attack.t1082
16logsource:
17 category: process_creation
18 product: linux
19detection:
20 selection_process:
21 Image|endswith: '/grep'
22 selection_architecture:
23 CommandLine|endswith:
24 - 'aarch64'
25 - 'arm'
26 - 'i386'
27 - 'i686'
28 - 'mips'
29 - 'x86_64'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: low
References
-
JPCERT/CC has confirmed attacks that infected routers in Japan with malware around February 2023. This blog article explains the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack. ### Attack flow up to...
Read More -
-
Related rules
- PUA - System Informer Execution
- Potential GobRAT File Discovery Via Grep
- Network Reconnaissance Activity
- Bitbucket User Details Export Attempt Detected
- System Disk And Volume Reconnaissance Via Wmic.EXE