Suspicious Git Clone
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Sigma rule (View on GitHub)
1title: Suspicious Git Clone
2id: aef9d1f1-7396-4e92-a927-4567c7a495c1
3status: test
4description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
5references:
6 - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-01-03
9modified: 2023-01-10
10tags:
11 - attack.reconnaissance
12 - attack.t1593.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith:
19 - '\git.exe'
20 - '\git-remote-https.exe'
21 - OriginalFileName: 'git.exe'
22 selection_cli:
23 CommandLine|contains:
24 - ' clone '
25 - 'git-remote-https '
26 selection_keyword:
27 CommandLine|contains:
28 # Add more suspicious keywords
29 - 'exploit'
30 - 'Vulns'
31 - 'vulnerability'
32 - 'RemoteCodeExecution'
33 - 'Invoke-'
34 - 'CVE-'
35 - 'poc-'
36 - 'ProofOfConcept'
37 # Add more vuln names
38 - 'proxyshell'
39 - 'log4shell'
40 - 'eternalblue'
41 - 'eternal-blue'
42 - 'MS17-'
43 condition: all of selection_*
44falsepositives:
45 - Unknown
46level: medium
References
-
python2 exchange.py mail.budget.gov.mm administrator@budget.gov.mm git clone https://github.com/Udyz/proxyshell-auto.git cd proxyshell-auto/ ls python3 proxyshell.py python3 proxyshell.py -t mail.b...
Read More
Related rules
- Suspicious Git Clone - Linux
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Azure AD Account Credential Leaked
- Bitbucket User Details Export Attempt Detected