From c9e7755ad05efc3ec9046c2ce075d007493603ad Mon Sep 17 00:00:00 2001
From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com>
Date: Thu, 19 May 2022 16:28:51 +0700
Subject: [PATCH] New Campaign - BPFDoor

---
 .../redmenshen-bpfdoor-backdoor.yaml          | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 Hunting Queries/Microsoft 365 Defender/Campaigns/redmenshen-bpfdoor-backdoor.yaml

diff --git a/Hunting Queries/Microsoft 365 Defender/Campaigns/redmenshen-bpfdoor-backdoor.yaml b/Hunting Queries/Microsoft 365 Defender/Campaigns/redmenshen-bpfdoor-backdoor.yaml
new file mode 100644
index 0000000000..7f1f260713
--- /dev/null
+++ b/Hunting Queries/Microsoft 365 Defender/Campaigns/redmenshen-bpfdoor-backdoor.yaml	
@@ -0,0 +1,21 @@
+id: bfb8eaed-941c-4866-a2cc-d5d4465bfc2a
+name: RedMenshen-BPFDoor-backdoor
+description: |
+  This query was originally published by PWC Security Research Team.
+  BPFDoor is custom backdoor malware used by Red Menshen. The BPFDoor allows an adversary to backdoor a system and remotely execute codes without opening any new network ports or firewall rules.
+References:
+  https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
+  https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - DeviceProcessEvents
+tactics:
+  - Execution
+relevantTechniques:
+  - T1095
+  - TT1059.004
+  - T1070
+query: |
+  DeviceProcessEvents
+  | where InitiatingProcessCommandLine  has ("/dev/shm/kdmtmpflush") or FileName has ("haldrund.pid", "kdevrund.pid")