heroui logo

Potentially Suspicious Malware Callback Communication - Linux

Sigma Rules

View Source
Summary
This detection rule identifies potentially suspicious malware callback communications specifically on Linux systems. It operates by monitoring network connections and flagging any outgoing connections to known malware callback ports as defined by threat intelligence reports. The specific ports under watch include 888, 999, 2200, 2222, 4000, 4444, 6789, 8531, 50501, and 51820. The rule applies a selection process that requires the connection to have been initiated (i.e., outgoing) and ensures that it avoids common private IP address ranges to minimize false positives from legitimate internal traffic. With a high severity level, it aims to enhance security visibility by providing a mechanism to alert on command-and-control activities commonly associated with malware operation. The rule is particularly relevant for cybersecurity analysts and incident responders focusing on proactive detection of compromised systems or applications communicating with malicious entities over the network. The references include insights into actor tactics, techniques, and procedures (TTPs) as well as analyses of specific malware examples that exemplify these callback patterns.
Categories
  • Linux
  • Network
Data Sources
  • Network Traffic
Created: 2024-05-10