mirror of
https://github.com/JGoyd/ShadowShells.git
synced 2026-02-12 13:22:45 +00:00
39 lines
1.6 KiB
Plaintext
39 lines
1.6 KiB
Plaintext
Key Hits — High-Level Detection Guidance
|
|
(No raw logs included)
|
|
|
|
Network indicators:
|
|
- Repeated DNS/SNI/HTTP(S) contacts to github.stormbreaker.pro and stormbreaker.pro.
|
|
- Secondary C2/relay domains observed: kaylees.site, pir.kaylees.site, plus multiple typosquat and free-TLD domains.
|
|
|
|
Process / execution patterns:
|
|
- References to 'sshd' (SSH daemon).
|
|
- Frequent invocations of '/bin/bash' — look for unexpected SSH services, pseudo-shells, or elevated shell activity.
|
|
- Indicators of command execution and file-transfer behavior (keywords: download, upload, payload identifiers).
|
|
|
|
Proxy / tunneling markers:
|
|
- Unique string "tunnel_shine" observed in routing/proxy configuration contexts.
|
|
- Unique SYSTEM_PROXY UUID: A124B30D-1DA8-4A28-9086-C7F485678DCB
|
|
(High-value pivot for provider/host log searches.)
|
|
|
|
Beacon / heartbeat patterns:
|
|
- Recurrent periodic heartbeat-like entries.
|
|
- Example marker: Awareness.heartbeat:E9362
|
|
- Look for regular timing patterns or periodic callbacks in telemetry.
|
|
|
|
Detection Recommendations:
|
|
- Monitor DNS logs and TLS SNI for the listed domains and variants.
|
|
- Alert on:
|
|
- New or unexpected SSH service instances
|
|
- Sudden increases in /bin/bash invocation rates
|
|
- Hunt for:
|
|
- The proxy UUID
|
|
- The "tunnel_shine" string in system or configuration logs
|
|
- Correlate:
|
|
- Suspicious DNS/TLS hits
|
|
- With endpoint process activity + unusual outbound traffic
|
|
- Prioritize timestamps aligning with observed beacon cadence.
|
|
|
|
Notes:
|
|
- Validate indicators against local telemetry — some domains may be reused or repurposed.
|
|
- If you find matches that appear benign, notify the repository contact for review.
|