{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Equation Group Indicators\n", "Detects suspicious shell commands used in various Equation Group scripts and tools" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Rule Content\n", "```\n", "- title: Equation Group Indicators\n", " id: 41e5c73d-9983-4b69-bd03-e13b67e9623c\n", " description: Detects suspicious shell commands used in various Equation Group scripts\n", " and tools\n", " references:\n", " - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1\n", " tags:\n", " - attack.execution\n", " - attack.g0020\n", " - attack.t1059\n", " author: Florian Roth\n", " logsource:\n", " product: linux\n", " service: null\n", " category: null\n", " detection:\n", " keywords:\n", " - 'chown root*chmod 4777 '\n", " - cp /bin/sh .;chown\n", " - chmod 4777 /tmp/.scsi/dev/bin/gsh\n", " - chown root:root /tmp/.scsi/dev/bin/\n", " - chown root:root x;\n", " - /bin/telnet locip locport < /dev/console | /bin/sh\n", " - /tmp/ratload\n", " - 'ewok -t '\n", " - 'xspy -display '\n", " - cat > /dev/tcp/127.0.0.1/80 < /dev/null'\n", " - ping -c 2 *; grep * /proc/net/arp >/tmp/gx\n", " - iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;\n", " - '> /var/log/audit/audit.log; rm -f .'\n", " - cp /var/log/audit/audit.log .tmp\n", " - sh >/dev/tcp/* <&1 2>&1\n", " - ncat -vv -l -p * <\n", " - nc -vv -l -p * <\n", " - < /dev/console | uudecode && uncompress\n", " - sendmail -osendmail;chmod +x sendmail\n", " - /usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron\n", " - chmod 666 /var/run/utmp~\n", " - chmod 700 nscd crond\n", " - cp /etc/shadow /tmp/.\n", " - /dev/null 2>&1 && uncompress\n", " - chmod 700 jp&&netstat -an|grep\n", " - uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755\n", " - chmod 700 crond\n", " - wget http*; chmod +x /tmp/sendmail\n", " - chmod 700 fp sendmail pt\n", " - chmod 755 /usr/vmsys/bin/pipe\n", " - chmod -R 755 /usr/vmsys\n", " - chmod 755 $opbin/*tunnel\n", " - chmod 700 sendmail\n", " - chmod 0700 sendmail\n", " - /usr/bin/wget http*sendmail;chmod +x sendmail;\n", " - '&& telnet * 2>&1