Proc creation lnx exfiltration data via sftp protocol (winscp tool)

[CheraghiMilad]

Summary of the Pull Request

The attacker may use the WinScp tool to exfiltrate data from the victim's system. This rule helps to identify data being exfiltrated through the SFTP protocol. (When using the WinScp tool, the SFTP protocol is used in the background to transfer data.)

Changelog

/sftp-server log

<Events>
  <Event>
    <System>
      <Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
      <EventID>23</EventID>
      <Version>5</Version>
      <Level>4</Level>
      <Task>23</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2024-11-26T07:08:18.955128000Z"/>
      <EventRecordID>252928</EventRecordID>
      <Correlation/>
      <Execution ProcessID="1258" ThreadID="1258"/>
      <Channel>Linux-Sysmon/Operational</Channel>
      <Computer>caldera-virtual-machine</Computer>
      <Security UserId="0"/>
    </System>
    <EventData>
      <Data Name="RuleName">-</Data>
      <Data Name="UtcTime">2024-11-24 19:52:14.888</Data>
      <Data Name="ProcessGuid">{36fe7a82-83c8-6743-d526-2fa8d7550000}</Data>
      <Data Name="ProcessId">6468</Data>
      <Data Name="User">caldera</Data>
      <Data Name="Image">/usr/lib/openssh/sftp-server</Data>
      <Data Name="TargetFilename">/home/caldera/rufus-4.6.exe.filepart</Data>
      <Data Name="Hashes">-</Data>
      <Data Name="IsExecutable">-</Data>
      <Data Name="Archived">-</Data>
    </EventData>
  </Event>

sftp-server log

  <Event>
    <System>
      <Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
      <EventID>23</EventID>
      <Version>5</Version>
      <Level>4</Level>
      <Task>23</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2024-11-26T07:08:16.565426000Z"/>
      <EventRecordID>252925</EventRecordID>
      <Correlation/>
      <Execution ProcessID="1258" ThreadID="1258"/>
      <Channel>Linux-Sysmon/Operational</Channel>
      <Computer>caldera-virtual-machine</Computer>
      <Security UserId="0"/>
    </System>
    <EventData>
      <Data Name="RuleName">-</Data>
      <Data Name="UtcTime">2024-11-24 19:52:12.500</Data>
      <Data Name="ProcessGuid">{36fe7a82-83c8-6743-d526-2fa8d7550000}</Data>
      <Data Name="ProcessId">6468</Data>
      <Data Name="User">caldera</Data>
      <Data Name="Image">/usr/lib/openssh/sftp-server</Data>
      <Data Name="TargetFilename">/home/caldera/IMG_20241120_131011.jpg.filepart</Data>
      <Data Name="Hashes">-</Data>
      <Data Name="IsExecutable">-</Data>
      <Data Name="Archived">-</Data>
    </EventData>
  </Event>
</Events>

Pic:

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[frack113]

HI,
Thanks.
The Eventid 23 is for FileDelete.
I find "WinSCP has a setting enabled by default that transfers files larger than 100kb to a temporary file name (with the .filepart extension) and then renames the file."
So the events are not exfiltration.

[CheraghiMilad]

HI, Thanks. The Eventid 23 is for FileDelete. I find "WinSCP has a setting enabled by default that transfers files larger than 100kb to a temporary file name (with the .filepart extension) and then renames the file." So the events are not exfiltration.

Hi, Thanks for the reply.
These files were exfiltrated during adversary emulation. If the .filepart keyword is commonly used in WinSCP, we can opt for a more relevant keyword that corresponds to files on the endpoint and remove the DeleteId from the rule.

[CheraghiMilad]

I got this error, and I have no idea what I can do about it.

======================================================================
FAIL: test_fieldname_case (main.TestRules.test_fieldname_case)

Traceback (most recent call last):
File "/home/runner/work/sigma/sigma/tests/test_logsource.py", line 253, in test_fieldname_case
self.assertEqual(
AssertionError: Lists differ: ['/home/runner/work/sigma/sigma/rules/linu[67 chars]yml'] != []

First list contains 1 additional elements.
First extra element 0:
'/home/runner/work/sigma/sigma/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml'

• ['/home/runner/work/sigma/sigma/rules/linux/process_creation/proc_creation_lnx_exfiltration_data_sftp_winscp.yml']

• [] : There are rule files which contains unknown field or with cast error

---

Ran 3 tests in 28.861s

FAILED (failures=1)
Error: Process completed with exit code 1.