Adding sigma rules related to Restic for Data Exfiltration and CleanUpLoader(Oyster Backdoor)

[CTI-Driven]

title: Detect the Use of Restic Backup too for Data Exfiltration id: 12345678-1234-1234-1234-123456789012 description: | Restic is an open-source backup tool that supports backing up data to various storage types, including local directories, SFTP servers, and cloud services like Amazon S3, Google Cloud Storage, and Microsoft Azure. Recently, it has been observed in use by the BlackCat Ransomware group. status: experimental references:

• https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
• https://restic.net/ author: Nounou Mbeiri date: 2024/10/15 tags:
• attack.exfiltration
• attack.t1048 logsource: product: windows category: process_creation detection: selection1: CommandLine|contains|all:
  • " -r"
  • " :/"
  • " init" selection2: CommandLine|contains|all:
  • " --repo"
  • " :/"
  • " init" selection3: CommandLine|contains:
  • " backup"
  • " init" parameter1: CommandLine|contains|all:
  • " -r"
  • "sftp:" parameter2: CommandLine|contains|all:
  • " -r"
  • " rest:http" parameter3: CommandLine|contains|all:
  • " -r"
  • " s3:s3."
  • "amazonaws" parameter4: CommandLine|contains|all:
  • " -r"
  • " s3:http" parameter5: CommandLine|contains|all:
  • " -r"
  • " swift:" parameter6: CommandLine|contains|all:
  • " -r"
  • " b2:" parameter7: CommandLine|contains|all:
  • " -r"
  • " azure:" parameter8: CommandLine|contains|all:
  • " -r"
  • " gs:" parameter9: CommandLine|contains|all:
  • " -r"
  • " rclone:" condition: ((selection1 or selection2) or (selection3 and 1 of parameter*)) falsepositives:
• Legitimate use of Restic for backup purposes level: high

---

title: Detect Rundll32 and Schtasks Command Events Linked to CleanUpLoader id: 12345678-1234-5678-1234-567812345678 status: experimental description: Detects process creation events involving rundll32.exe and schtasks.exe commands associated with CleanUpLoader(Oyster Backdoor) activity on Windows systems. references:

• https://www.reliaquest.com/blog/5-malware-variants-you-should-know/
• https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf
• https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/
• https://app.any.run/tasks/aa15e125-38b8-44d8-add9-54e21e6813bb author: Nounou Mbeiri date: 2024/10/15 tags:
• attack.discovery
• attack.command_and_control
• attack.exfiltration
• attack.t1040
• attack.t1041
• attack.t1071 logsource: product: windows category: process_creation detection: selection1: CommandLine|contains|all:
  • 'rundll32.exe'
  • '%s'
  • 'Test' selection2: CommandLine|contains:
  • 'rundll32.exe' selection21: CommandLine|contains:
  • 'CleanUp.dll'
  • 'CleanUp30.dll' selection3: CommandLine|contains|all:
  • 'schtasks.exe'
  • '/create'
  • 'ClearMngs'
  • 'rundll32'
  • '.dll'
  • 'Test' selection4: CommandLine|contains|all:
  • 'powershell.exe'
  • 'schtasks.exe'
  • 'CreateShortcut'
  • '.lnk'
  • 'rundll32'
  • '.dll'
  • 'Test' condition: selection1 or (selection2 and selection21) or selection3 or selection4 falsepositives:
    • Scripts or automation tools that include similar command patterns level: high

---

title: Detect DLL File Creation Events Linked to CleanUpLoader id: 87654321-4321-8765-4321-876543218765 status: experimental description: Detects the creation of specific DLL files in Temp or Downloads folders, potentially linked to CleanUpLoader(Oyster Backdoor) activity. references:

• https://www.reliaquest.com/blog/5-malware-variants-you-should-know/
• https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf
• https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/
• https://app.any.run/tasks/aa15e125-38b8-44d8-add9-54e21e6813bb author: Nounou Mbeiri date: 2024/10/15 tags:
• attack.discovery
• attack.command_and_control
• attack.exfiltration
• attack.t1040
• attack.t1041
• attack.t1071 logsource: product: windows category: file_event detection: selection: TargetFilename|endswith:
  • 'CleanUp.dll'
  • 'CleanUp30.dll' TargetFilename|contains:
  • '\Temp\' condition: selection falsepositives:
    • Legitimate software installations or updates that use these CleanUp.dll level: medium