Suspicious Git Clone

calendar Dec 1, 2023 · attack.reconnaissance attack.t1593.003  ·
Share on: linkedin copy

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

Sigma rule (View on GitHub)

 1title: Suspicious Git Clone
 2id: aef9d1f1-7396-4e92-a927-4567c7a495c1
 3status: test
 4description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
 5references:
 6    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/01/03
 9modified: 2023/01/10
10tags:
11    - attack.reconnaissance
12    - attack.t1593.003
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith:
19              - '\git.exe'
20              - '\git-remote-https.exe'
21        - OriginalFileName: 'git.exe'
22    selection_cli:
23        CommandLine|contains:
24            - ' clone '
25            - 'git-remote-https '
26    selection_keyword:
27        CommandLine|contains:
28            # Add more suspicious keywords
29            - 'exploit'
30            - 'Vulns'
31            - 'vulnerability'
32            - 'RemoteCodeExecution'
33            - 'Invoke-'
34            - 'CVE-'
35            - 'poc-'
36            - 'ProofOfConcept'
37            # Add more vuln names
38            - 'proxyshell'
39            - 'log4shell'
40            - 'eternalblue'
41            - 'eternal-blue'
42            - 'MS17-'
43    condition: all of selection_*
44falsepositives:
45    - Unknown
46level: medium

References

  • python2 exchange.py mail.budget.gov.mm administrator@budget.gov.mm git clone https://github.com/Udyz/proxyshell-auto.git cd proxyshell-auto/ ls python3 proxyshell.py python3 proxyshell.py -t mail.b...


    Read More

Related rules

to-top