From 76494bf97e93e4de05bc481c87001a56e9a2c5fe Mon Sep 17 00:00:00 2001 From: Joseph Goydish II Date: Wed, 10 Dec 2025 18:28:49 -0500 Subject: [PATCH] Add high-level detection guidance for key hits --- key hits.txt | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 key hits.txt diff --git a/key hits.txt b/key hits.txt new file mode 100644 index 0000000..49b5760 --- /dev/null +++ b/key hits.txt @@ -0,0 +1,38 @@ +Key Hits — High-Level Detection Guidance +(No raw logs included) + +Network indicators: +- Repeated DNS/SNI/HTTP(S) contacts to github.stormbreaker.pro and stormbreaker.pro. +- Secondary C2/relay domains observed: kaylees.site, pir.kaylees.site, plus multiple typosquat and free-TLD domains. + +Process / execution patterns: +- References to 'sshd' (SSH daemon). +- Frequent invocations of '/bin/bash' — look for unexpected SSH services, pseudo-shells, or elevated shell activity. +- Indicators of command execution and file-transfer behavior (keywords: download, upload, payload identifiers). + +Proxy / tunneling markers: +- Unique string "tunnel_shine" observed in routing/proxy configuration contexts. +- Unique SYSTEM_PROXY UUID: A124B30D-1DA8-4A28-9086-C7F485678DCB + (High-value pivot for provider/host log searches.) + +Beacon / heartbeat patterns: +- Recurrent periodic heartbeat-like entries. + - Example marker: Awareness.heartbeat:E9362 +- Look for regular timing patterns or periodic callbacks in telemetry. + +Detection Recommendations: +- Monitor DNS logs and TLS SNI for the listed domains and variants. +- Alert on: + - New or unexpected SSH service instances + - Sudden increases in /bin/bash invocation rates +- Hunt for: + - The proxy UUID + - The "tunnel_shine" string in system or configuration logs +- Correlate: + - Suspicious DNS/TLS hits + - With endpoint process activity + unusual outbound traffic + - Prioritize timestamps aligning with observed beacon cadence. + +Notes: +- Validate indicators against local telemetry — some domains may be reused or repurposed. +- If you find matches that appear benign, notify the repository contact for review.