Adversaries may use Pnscan to exfiltrate binary data across the network by leveraging command line activity associated with this tool. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exfiltration attempts linked to Linux-based malware campaigns targeting Docker environments.
Detection Rule
title: Pnscan Binary Data Transmission Activity
id: 97de11cd-4b67-4abf-9a8b-1020e670aa9e
status: test
description: |
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
author: David Burkett (@signalblur)
date: 2024-04-16
references:
- https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
- https://regex101.com/r/RugQYK/1
- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|re: -(W|R)\s?(\s|"|')([0-9a-fA-F]{2}\s?){2,20}(\s|"|')
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessCommandLine matches regex "-(W|R)\\s?(\\s|\"|')([0-9a-fA-F]{2}\\s?){2,20}(\\s|\"|')"Scenario: Legitimate Docker Image Push to Registry
Description: A system administrator is pushing a Docker image to a private registry using docker push, which may trigger the rule due to binary data transmission.
Filter/Exclusion: Exclude traffic where the process name is docker and the command line includes docker push or docker build.
Scenario: Network Monitoring Tool Capturing Binary Traffic
Description: A security tool like Wireshark or tcpdump is capturing and analyzing binary data packets on the network for forensic analysis.
Filter/Exclusion: Exclude processes where the binary name is tcpdump or wireshark and the command line includes -i or -w for interface or file capture.
Scenario: Scheduled System Backup Using Binary Transfer
Description: A scheduled backup job (e.g., using rsync or scp) is transferring binary data across the network as part of routine system maintenance.
Filter/Exclusion: Exclude processes where the command line includes rsync, scp, or tar and the destination is a known backup server or internal network segment.
Scenario: Admin Task Using netcat for Debugging
Description: An administrator is using netcat to test network connectivity or debug a service by sending binary data across the network.
Filter/Exclusion: Exclude processes where the command line includes nc or netcat and the user is a system admin with elevated privileges.
Scenario: Log Shipper Transferring Binary Logs
Description: A log shipper like Fluentd or Logstash is transferring binary log files (e.g., from a database) across the network for centralized logging.
Filter/Exclusion: Exclude processes where the command line includes fluentd, logstash, or `rs