Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proc creation lnx exfiltration data via sftp protocol (winscp tool) #5096

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Proc creation lnx exfiltration data via sftp protocol (winscp tool) #5096

wants to merge 11 commits into from

Conversation

CheraghiMilad
Copy link
Contributor

Summary of the Pull Request

The attacker may use the WinScp tool to exfiltrate data from the victim's system. This rule helps to identify data being exfiltrated through the SFTP protocol. (When using the WinScp tool, the SFTP protocol is used in the background to transfer data.)

Changelog

Log:
Nov 26 08:08:18 caldera-virtual-machine sysmon: 23542300x8000000000000000252928Linux-Sysmon/Operationalcaldera-virtual-machine-2024-11-24 19:52:14.888{36fe7a82-83c8-6743-d526-2fa8d7550000}6468caldera/usr/lib/openssh/sftp-server/home/caldera/rufus-4.6.exe.filepart---

host = caldera-virtual-machine
source = Syslog:Linux-Sysmon/Operational
sourcetype = sysmon_linux

Nov 26 08:08:16 caldera-virtual-machine sysmon: 23542300x8000000000000000252925Linux-Sysmon/Operationalcaldera-virtual-machine-2024-11-24 19:52:12.500{36fe7a82-83c8-6743-d526-2fa8d7550000}6468caldera/usr/lib/openssh/sftp-server/home/caldera/IMG_20241120_131011.jpg.filepart---

host = caldera-virtual-machine
source = Syslog:Linux-Sysmon/Operational
sourcetype = sysmon_linux

Pic:
Screenshot 2024-11-26 114141

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Linux Pull request add/update linux related rules labels Nov 29, 2024
@frack113
Copy link
Member

HI,
Thanks.
The Eventid 23 is for FileDelete.
I find "WinSCP has a setting enabled by default that transfers files larger than 100kb to a temporary file name (with the .filepart extension) and then renames the file."
So the events are not exfiltration.

@frack113 frack113 added the Author Input Required changes the require information from original author of the rules label Nov 30, 2024
@CheraghiMilad
Copy link
Contributor Author

CheraghiMilad commented Nov 30, 2024
edited
Loading

HI, Thanks. The Eventid 23 is for FileDelete. I find "WinSCP has a setting enabled by default that transfers files larger than 100kb to a temporary file name (with the .filepart extension) and then renames the file." So the events are not exfiltration.

Hi, Thanks for the reply.
These files were exfiltrated during adversary emulation. If the .filepart keyword is commonly used in WinSCP, we can opt for a more relevant keyword that corresponds to files on the endpoint and remove the DeleteId from the rule.

@frack113 frack113 added Work In Progress Some changes are needed and removed Author Input Required changes the require information from original author of the rules labels Dec 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Linux Pull request add/update linux related rules Rules Work In Progress Some changes are needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CheraghiMilad @frack113