Arquivo_Complementar.txt
Arquivo_Complementar.txt
Atualizado em
20/07/2022 15h26
arquivo_complementar.txt — 11 KB
Conteúdo do arquivo
------------------------------------ INFORMAÇÕES TÉCNICAS COMPLEMENTARES: ------------------------------------ 1. Monitorar as consultas DNS inclusive as consultas do tipo TXT: 1.1. A seguinte expressão regular pode ajudar a encontrar consultas suspeitas e pode ser usada em logs com o comando grep ou em ferramentas de indexação que aceitem expressões regulares (ex: Kibana8): /([^.]+\.)+[0-9af]{8,63}\.[0-9a-f]{8,63}\.([^\s])+/. 1.2. Exemplo de uso com o comando grep: grep -E '([^.]+\.)+[0-9a-f]{8,63}\.[0-9a-f]{8,63}\.([^\s])+' <arquivo> 1.3. A expressão foi criada com o objetivo de ter um índice baixo de falsos positivos, porém algumas consultas podem ficar de fora. 2. Monitorar nos ativos de rede tráfego em portas altas como: 45345, 34535, 64543, 24645, 47623, 62537, 43253, 43753, 63424, 26424, 55667, 42859, 59637, 7938 e 54356. 2.1. As portas podem mudar entre versões do artefato. 3. Indicadores de Comprometimento (IoC's): 3.1. HASHES (SHA256): a0cd554c35dee3fed3d1607dc18debd1296faaee29b5bd77ff83ab6956a6f9d6 ec67bbdf55d3679fca72d3c814186ff4646dd779a862999c82c6faa8e6615180 45eacba032367db7f3b031e5d9df10b30d01664f24da6847322f6af1fd8e7f01 f55af21f69a183fb8550ac60f392b05df14aa01d7ffe9f28bc48a118dc110b4c 81cc9e04d1db05bcfc0538e5b6bb2d65e78e2fd0f0dd66b672e5d18e6c63d44c 121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924 3.2. ARQUIVOS: /etc/usb.h /etc/usb.so /etc/certbot.h /etc/cert.h /etc/kernelaudit /etc/kerneldev /etc/kerneldbus /etc/mpt64.h /etc/etc.so /etc/dev.h /etc/etc.h /usr/include/linux/javautils /usr/include/linux/java64x /usr/include/certbot.h /lib/certbot.h /lib/cert.h /lib/search.so /lib/mt64.so /lib/kernelaudit.so /lib/kerneldev.so /lib/kerneldbus.so /lib/etc.so /lib/etc.h /lib64/mt64.so /lib64/subsys.so /lib64/liblinux.so /lib64/kerneldev /lib64/kerneldev.so /lib64/kerneldbus.so /lib64/etc.so /lib64/etc.h /lib64/devutils.so /lib64/kernelaudit.so 3.3. DOMÍNIOS: cintepol.link cintepol.net cintepol.org dpf.pm prodesp.link suport.link assets.fans bancodobrasil.dev caixa.cx prodesp.org localdns.link unibb.link caixa.link caixa.wf brisanet.in 4. Regra YARA que pode ser usada para detectar artefatos e os hashes dos arquivos maliciosos conhecidos. Recomendamos executar a regra YARA na área do Sistema Operacional: import "elf" rule liblinux_rule { meta: description = "Liblinux" date = "2022-06-10" strings: $s1 = "keylogger" fullword ascii $s2 = "pampassword" fullword ascii $s3 = "download_script" fullword ascii $s4 = "execute_dns_code" fullword ascii $s5 = "xgetline" fullword ascii $s6 = "getaddrlist" fullword ascii $s7 = "getfilename" fullword ascii $s8 = "execlp@@GLIBC_2.2.5" fullword ascii $s9 = "orig_execve" fullword ascii $s10 = "cmdline.6841" fullword ascii $s11 = "decoded_table.10589" fullword ascii $s12 = "savepasswd" fullword ascii $s13 = "dns_txt_download" fullword ascii $s14 = "pipe@@GLIBC_2.2.5" fullword ascii $s15 = "prepare_pipe" fullword ascii $s16 = "fake_trace_objects" fullword ascii $s17 = "ChangetoDnsNameFormat" fullword ascii $s18 = "getline@@GLIBC_2.2.5" fullword ascii $s19 = "getnameinfo@@GLIBC_2.2.5" fullword ascii $s20 = "getpid@@GLIBC_2.2.5" fullword ascii condition: elf.number_of_sections >= 10 and uint16(0) == 0x457f and filesize < 200KB and 15 of them } rule mt64_ { meta: description = "mt64" date = "2022-06-10" strings: $s1 = "keylogger" fullword ascii $s2 = "pampassword" fullword ascii $s3 = "xgetline" fullword ascii $s4 = "getfilename" fullword ascii $s5 = "orig_execve" fullword ascii $s6 = "cmdline.5912" fullword ascii $s7 = "savepasswd" fullword ascii $s8 = "pipe@@GLIBC_2.2.5" fullword ascii $s9 = "getenv@@GLIBC_2.2.5" fullword ascii $s10 = "log_cmd_line" fullword ascii $s11 = "getline@@GLIBC_2.2.5" fullword ascii $s12 = "fake_trace_objects" fullword ascii $s13 = "readdir64" fullword ascii $s14 = "erasefree" fullword ascii $s15 = "strstrmem" fullword ascii $s16 = ".eh_frame_hdr" fullword ascii $s17 = "orig_read" fullword ascii $s18 = "completed.6341" fullword ascii $s19 = "readlink@@GLIBC_2.2.5" fullword ascii $s20 = "orig_readdir.6135" fullword ascii condition: elf.number_of_sections >= 10 and uint16(0) == 0x457f and filesize < 100KB and 17 of them } rule search_rule { meta: description = "search" date = "2022-06-10" strings: $s1 = "keylogger" fullword ascii $s2 = "download_script" fullword ascii $s3 = "pampassword" fullword ascii $s4 = "execute_dns_code" fullword ascii $s5 = "getaddrlist" fullword ascii $s6 = "getfilename" fullword ascii $s7 = "xgetline" fullword ascii $s8 = "execlp@@GLIBC_2.2.5" fullword ascii $s9 = "cmdline.6812" fullword ascii $s10 = "orig_execve" fullword ascii $s11 = "savepasswd" fullword ascii $s12 = "decoded_table.10560" fullword ascii $s13 = "prepare_pipe" fullword ascii $s14 = "pipe@@GLIBC_2.2.5" fullword ascii $s15 = "dns_txt_download" fullword ascii $s16 = "get_machine_id" fullword ascii $s17 = "getpid@@GLIBC_2.2.5" fullword ascii $s18 = "getifaddrs@@GLIBC_2.3" fullword ascii $s19 = "getenv@@GLIBC_2.2.5" fullword ascii $s20 = "getline@@GLIBC_2.2.5" fullword ascii condition: elf.number_of_sections >= 10 and uint16(0) == 0x457f and filesize < 200KB and 15 of them } rule certbotx64 { meta: description = "certbotx64" date = "2022-06-10" strings: $s1 = " --exec -e <process> Execute the given process and link it to the stream." fullword ascii $s2 = "COMMAND_EXEC [response] :: request_id: 0x%04x :: session_id: 0x%04x" fullword ascii $s3 = "exec driver shut down; killing process %d" fullword ascii $s4 = "COMMAND_EXEC [request] :: request_id: 0x%04x :: name: %s :: command: %s" fullword ascii $s5 = "exec: couldn't create process (%d)" fullword ascii $s6 = "Starting: /bin/sh -c '%s'" fullword ascii $s7 = "exec: couldn't create pipe (%d)" fullword ascii $s8 = "COMMAND_SHELL [response] :: request_id: 0x%04x :: session_id: 0x%04x" fullword ascii $s9 = "[Tunnel %d] connection to %s:%d closed by the client: %s" fullword ascii $s10 = "[Tunnel %d] connection to %s:%d closed by the server!" fullword ascii $s11 = "By default, a --dns driver on port 53 is enabled if a hostname is" fullword ascii $s12 = "Error: dropped user account has root privileges; please specify a better" fullword ascii $s13 = "It looks like you used --dns and also passed a domain on the commandline." fullword ascii $s14 = "Creating a exec('%s') session!" fullword ascii $s15 = " --command Start an interactive 'command' session (default)." fullword ascii $s16 = "Received FIN: (reason: '%s') - closing session" fullword ascii $s17 = "** Peer verified with pre-shared secret!" fullword ascii $s18 = "COMMAND_DOWNLOAD [request] :: request_id: 0x%04x :: filename: %s" fullword ascii $s19 = "COMMAND_DOWNLOAD [response] :: request_id: 0x%04x :: data: 0x%x bytes" fullword ascii $s20 = "exec: execlp failed (%d)" fullword ascii condition: elf.number_of_sections >= 10 and uint16(0) == 0x457f and filesize < 400KB and 8 of them } rule kerneldev { meta: description = "kerneldev" date = "2022-06-10" strings: $s01 = "keylogger" fullword ascii $s02 = "px32.nss.atendimento-estilo.com" fullword ascii $s03 = "pampassword" fullword ascii $s04 = "kernelconfig" fullword ascii $s05 = "getserver" fullword ascii $s06 = "kerneldev" fullword ascii $s07 = "getaddrlist" fullword ascii $s08 = "/proc/self/cmdline" fullword ascii $s09 = "suporte42atendimento53log" fullword ascii $s10 = "threadmulti" fullword ascii $s12 = "ChangetoDnsNameFormat" fullword ascii $s13 = "kerneldev.so" fullword ascii $s14 = "log_cmd_line" fullword ascii $s15 = "sendlinedns" fullword ascii $s16 = "erasefree" fullword ascii condition: elf.number_of_sections >= 10 and uint16(0) == 0x457f and filesize < 60KB and 8 of them } rule source { meta: description = "Source" date = "2022-06-10" strings: $s01 = "ChangetoDnsNameFormat" fullword ascii $s02 = "HIDDEN_IPS" fullword ascii $s03 = "HIDDEN_PORTS" fullword ascii $s04 = "PROCS_TO_HIDE" fullword ascii $s05 = "download_script" fullword ascii $s06 = "check_backdoor" fullword ascii $s07 = "check_proc" fullword ascii $s08 = "check_rw_hook" fullword ascii $s09 = "consttime_equal" fullword ascii $s10 = "dns_broadcast_request" fullword ascii $s11 = "dns_txt_download" fullword ascii $s12 = "ed25519_verify" fullword ascii $s13 = "endswith" fullword ascii $s14 = "erasefree" fullword ascii $s15 = "execute_dns_code" fullword ascii $s16 = "fake_trace_objects" fullword ascii $s17 = "gen_proc_net_ip" fullword ascii $s18 = "gen_proc_net_port" fullword ascii $s19 = "hidden_file" fullword ascii $s20 = "hidden_proc" fullword ascii $s21 = "hide_proc_net_connection" fullword ascii $s22 = "keylogger" fullword ascii $s23 = "log_cmd_line" fullword ascii $s24 = "savepasswd" fullword ascii $s25 = "sendlinedns" fullword ascii $s26 = "strchr_reverse" fullword ascii condition: elf.number_of_sections >= 10 and uint16(0) == 0x457f and filesize < 400KB and 8 of them } rule dnscat { meta: description = "Source" date = "2022-06-10" strings: $dnscat = "dnscat" ascii $s01 = "additional: %s => %s AAAA 0x%04x %08x" ascii $s02 = "additional: %s => %s CNAME 0x%04x %08x" ascii $s03 = "answer: %s => %s AAAA 0x%04x %08x" ascii $s04 = "answer: %s => %s CNAME 0x%04x %08x" ascii $s05 = "are directly connecting to the dnscat2 server." ascii $s06 = "COMMAND_DELAY [request]" ascii $s07 = "COMMAND_DELAY [response]" ascii $s08 = "COMMAND_DOWNLOAD [response]" ascii $s09 = "COMMAND_ERROR [request]" ascii $s10 = "COMMAND_EXEC [request]" ascii $s11 = "COMMAND_PING [request]" ascii $s12 = "COMMAND_SHELL [request]" ascii $s13 = "COMMAND_SHUTDOWN [request]" ascii $s14 = "COMMAND_UPLOAD [request]" ascii $s15 = "Creating DNS driver:" ascii $s16 = "Creating UDP (DNS) socket on %s" ascii $s17 = "dnscat" ascii $s18 = "dnscat.c" ascii $s19 = "dnscat2" ascii $s20 = "DNSCAT_DOMAIN" ascii $s21 = "DNSCAT_SECRET" ascii $s22 = "dns_to_packet" ascii $s23 = "Failed to calculate a shared secret" ascii $s24 = "Failed to drop privileges to %s!" ascii $s25 = "Failed to generate a keypair!" ascii $s26 = "Received a CNAME response: %s" ascii $s27 = "Received an AAAA response (%zu bytes)" ascii $s28 = "Received an illegal packet:" ascii $s29 = "Sending DNS query for: %s to %s:%d" ascii $s30 = "Starting DNS driver without a domain! This will only work if you" ascii $s31 = "That's not allowed! Either use '--dns domain=xxx' or don't use a --dns" ascii $s32 = "The dnscat2 client couldn't connect to the remote host!" ascii $s33 = "The only reason this can happen is if something is messing with" ascii $s34 = "The response didn't contain the domain name: %s" ascii $s35 = "The response was just the domain name: %s" ascii $s36 = "The server didn't respond to our re-negotiation request! Waiting..." ascii $s37 = "The server hasn't returned a valid response in the last %d attempts.. closing session." ascii $s38 = "The server tried to close a tunnel that we don't know about: %d" ascii $s39 = "TUNNEL_CLOSE [request]" ascii $s40 = "TUNNEL_CLOSE [response]" ascii $s41 = "Type = ENC :: [0x%04x] session" ascii $s42 = "Type = FIN :: [0x%04x] session" ascii $s43 = "Unknown DNS type returned: %d" ascii $s44 = "Wow, this session is old! Time to re-negotiate encryption keys!" ascii $s45 = "You can also fix this by creating a proper /etc/resolv.conf" ascii $s46 = "You didn't pass any valid DNS types to use! Allowed types are TXT, CNAME, MX, A, AAAA" ascii condition: elf.number_of_sections >= 10 and uint16(0) == 0x457f and filesize < 400KB and $dnscat and 5 of ($*) }