Pnscan Binary Data Transmission Activity

calendar Apr 16, 2024 · attack.discovery attack.t1046  ·
Share on: linkedin copy

Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT

Sigma rule (View on GitHub)

 1title: Pnscan Binary Data Transmission Activity
 2id: 97de11cd-4b67-4abf-9a8b-1020e670aa9e
 3status: experimental
 4description: |
 5    Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
 6    This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT    
 7author: David Burkett (@signalblur)
 8date: 2024/04/16
 9references:
10    - https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
11    - https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
12    - https://regex101.com/r/RugQYK/1
13    - https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
14tags:
15    - attack.discovery
16    - attack.t1046
17logsource:
18    category: process_creation
19    product: linux
20detection:
21    selection:
22        CommandLine|re: -(W|R)\s?(\s|"|')([0-9a-fA-F]{2}\s?){2,20}(\s|"|')
23    condition: selection
24falsepositives:
25    - Unknown
26level: medium

References

Related rules

to-top