The hypothesis is that the use of grep to search for specific file patterns associated with GobRAT indicates an adversary is attempting to locate and exfiltrate malware components within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential GobRAT infections early and prevent further compromise.
Detection Rule
title: Potential GobRAT File Discovery Via Grep
id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
status: test
description: Detects the use of grep to discover specific files created by the GobRAT malware
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/grep'
CommandLine|contains:
- 'apached'
- 'frpc'
- 'sshd.sh'
- 'zone.arm'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where TargetProcessName endswith "/grep" and (TargetProcessCommandLine contains "apached" or TargetProcessCommandLine contains "frpc" or TargetProcessCommandLine contains "sshd.sh" or TargetProcessCommandLine contains "zone.arm")Scenario: System Administrator Uses grep to Search for Log Files
Description: An admin uses grep to search for specific log files (e.g., /var/log/auth.log) to troubleshoot authentication issues.
Filter/Exclusion: Exclude processes where the user is a system admin and the command includes known log file paths (e.g., /var/log/, /etc/).
Scenario: Scheduled Job Uses grep to Monitor File Changes
Description: A cron job or systemd timer uses grep to monitor changes in a configuration directory (e.g., /etc/nginx/) for updates.
Filter/Exclusion: Exclude processes with grep commands that target known configuration directories and are associated with scheduled tasks (e.g., crontab, systemd units).
Scenario: Security Tool Uses grep to Analyze Network Traffic Logs
Description: A security tool like tcpdump or Wireshark uses grep to filter network traffic logs for specific patterns (e.g., IP addresses or protocols).
Filter/Exclusion: Exclude processes where the command includes known security tool paths or log file locations (e.g., /var/log/tcpdump.log, /var/log/iptables.log).
Scenario: Database Administrator Uses grep to Search for SQL Queries
Description: A DBA uses grep to search for specific SQL queries in a database log file (e.g., /var/log/mysql.log) to debug performance issues.
Filter/Exclusion: Exclude processes where the user is a DBA and the command targets known database log files (e.g., /var/log/mysql/, /var/log/postgresql/).
Scenario: DevOps Pipeline Uses grep to Validate Build Artifacts
Description: A CI/CD pipeline