Suspicious Git Clone - Linux
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Sigma rule (View on GitHub)
1title: Suspicious Git Clone - Linux
2id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446
3status: test
4description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
5references:
6 - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-01-03
9modified: 2023-01-05
10tags:
11 - attack.reconnaissance
12 - attack.t1593.003
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection_img:
18 Image|endswith: '/git'
19 CommandLine|contains: ' clone '
20 selection_keyword:
21 CommandLine|contains:
22 # Add more suspicious keywords
23 - 'exploit'
24 - 'Vulns'
25 - 'vulnerability'
26 - 'RCE'
27 - 'RemoteCodeExecution'
28 - 'Invoke-'
29 - 'CVE-'
30 - 'poc-'
31 - 'ProofOfConcept'
32 # Add more vuln names
33 - 'proxyshell'
34 - 'log4shell'
35 - 'eternalblue'
36 - 'eternal-blue'
37 - 'MS17-'
38 condition: all of selection_*
39falsepositives:
40 - Unknown
41level: medium
References
-
python2 exchange.py mail.budget.gov.mm administrator@budget.gov.mm git clone https://github.com/Udyz/proxyshell-auto.git cd proxyshell-auto/ ls python3 proxyshell.py python3 proxyshell.py -t mail.b...
Read More
Related rules
- Suspicious Git Clone
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Azure AD Account Credential Leaked
- Bitbucket User Details Export Attempt Detected