Merge pull request #5004 from BlackB0lt/patch-4

New Campaign - BPFDoor
This commit is contained in:
aprakash13 2022-06-13 17:58:03 -07:00 коммит произвёл GitHub
Родитель 10f8aa1c1b 6a6285f3e0
Коммит 7fcd6623ad
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 21 добавлений и 0 удалений

Просмотреть файл

@ -0,0 +1,21 @@
id: bfb8eaed-941c-4866-a2cc-d5d4465bfc2a
name: RedMenshen-BPFDoor-backdoor
description: |
This query was originally published by PWC Security Research Team.
BPFDoor is custom backdoor malware used by Red Menshen. The BPFDoor allows an adversary to backdoor a system and remotely execute codes without opening any new network ports or firewall rules.
References:
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
relevantTechniques:
- T1095
- T1059.004
- T1070
query: |
DeviceProcessEvents
| where InitiatingProcessCommandLine has ("/dev/shm/kdmtmpflush") or FileName has ("haldrund.pid", "kdevrund.pid")