The Octopus Scanner Malware is likely executing remote code execution through network shares, leveraging T1195 to exfiltrate data and establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.
Detection Rule
title: Octopus Scanner Malware
id: 805c55d9-31e6-4846-9878-c34c75054fe9
status: test
description: Detects Octopus Scanner Malware.
references:
- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
author: NVISO
date: 2020-06-09
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1195
- attack.t1195.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Cache134.dat'
- '\AppData\Local\Microsoft\ExplorerSync.db'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName endswith "\\AppData\\Local\\Microsoft\\Cache134.dat" or TargetFileName endswith "\\AppData\\Local\\Microsoft\\ExplorerSync.db"Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task using schtasks.exe or Task Scheduler runs a script that includes the word “Octopus” in its name or log output.
Filter/Exclusion: Exclude tasks that are scheduled via schtasks.exe with a known legitimate command line or check for the presence of a valid task ID in the event log.
Scenario: Admin Performing a File Integrity Check
Description: An administrator uses a tool like Sysinternals Process Monitor or Windows Defender Offline Scan to check for malware, and the tool’s output includes the term “Octopus” in a log file.
Filter/Exclusion: Exclude events where the process name matches ProcessMonitor.exe, MpCmdRun.exe, or any known security tool.
Scenario: Legitimate Software Installation
Description: A software package (e.g., Octopus Deploy) is being installed, and during the installation process, the word “Octopus” appears in the installation log or command line.
Filter/Exclusion: Exclude processes where the executable name matches Octopus.exe or OctopusDeploy.exe, or where the command line includes a known installation path.
Scenario: Log File Parsing by SIEM Tool
Description: A SIEM tool like Splunk or ELK parses log files and includes the term “Octopus” in a log message, triggering the rule due to keyword matching.
Filter/Exclusion: Exclude events where the source is a SIEM tool or where the log message is known to be part of a legitimate log format.
Scenario: User-Initiated File Search
Description: A user runs a file search using findstr or Get-ChildItem in PowerShell, and the search term includes “Octopus”,