Suspicious Nohup Execution
Detects execution of binaries located in potentially suspicious locations via "nohup"
Sigma rule (View on GitHub)
1title: Suspicious Nohup Execution
2id: 457df417-8b9d-4912-85f3-9dbda39c3645
3related:
4 - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
5 type: derived
6status: test
7description: Detects execution of binaries located in potentially suspicious locations via "nohup"
8references:
9 - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
10 - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
11 - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
12 - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
13author: Joseliyo Sanchez, @Joseliyo_Jstnk
14date: 2023-06-02
15tags:
16 - attack.execution
17logsource:
18 product: linux
19 category: process_creation
20detection:
21 selection:
22 Image|endswith: '/nohup'
23 CommandLine|contains: '/tmp/'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
JPCERT/CC has confirmed attacks that infected routers in Japan with malware around February 2023. This blog article explains the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack. ### Attack flow up to...
Read More -
-
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change