Common Information
| Type | Value |
|---|---|
| Value |
rule P0_Hunting_Common_TeamTNT_CurlArgs_1 {
meta:
description = " Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common curl arguments including 'Datei' (German word for 'file' ) and specific 'Send=1' arguments found in German blog post https://administrator.de/tutorial/upload-von-dateien-per-batch-curl-und-php-auf-einen-webserver-ohne-ftp-98399.html which details using curl (with these specific arguments) to upload files to upload.php "
author = " daniel.bohannon@permiso.io (@danielhbohannon) "
date = " 2023-07-12 "
reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ "
md5_01 = " b9113ccc0856e5d44bab8d3374362a06 "
md5_02 = " d9ecceda32f6fa8a7720e1bf9425374f "
md5_03 = " 0855b8697c6ebc88591d15b954bcd15a "
md5_04 = " f7df739f865448ac82da01b3b1a97041 "
md5_05 = " 1a37f2ef14db460e5723f3c0b7a14d23 "
md5_06 = " 99f0102d673423c920af1abc22f66d4e "
md5_07 = " 99f0102d673423c920af1abc22f66d4e "
md5_08 = " 5daace86b5e947e8b87d8a00a11bc3c5 "
strings:
$curlFileArgGerman = " \"Datei=@\" "
$curlArgSend = " -F \"Send=1\" "
$curlArgUsername = " -F \"username= "
$curlArgPassword = " -F \"password= "
condition:
all of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |