Backdoor:Linux/Dakkatoni.az!MTB - Windows Defender Threat Analysis

This threat is a Linux backdoor identified as Backdoor:Linux/Dakkatoni.az!MTB, which is a Mettle agent from the Metasploit framework. It grants an attacker remote control over the compromised Linux system, allowing for capabilities like establishing persistence, running in the background, and process manipulation.

No specific strings found for this threat

rule Backdoor_Linux_Dakkatoni_2147762155_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Dakkatoni.az!MTB"
        threat_id = "2147762155"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Dakkatoni"
        severity = "Critical"
        info = "az: an internal category used to refer to some threats"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "5"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = "/mettle/mettle/src/main.c" ascii //weight: 1
        $x_1_2 = "process_kill_by_pid" ascii //weight: 1
        $x_1_3 = "ftp@example.com" ascii //weight: 1
        $x_1_4 = "--persist [none|install|uninstall] manage persistence" ascii //weight: 1
        $x_1_5 = {2d 2d 62 61 63 6b 67 72 6f 75 6e 64 [0-5] 73 74 61 72 74 20 61 73 20 61 20 62 61 63 6b 67 72 6f 75 6e 64 20 73 65 72 76 69 63 65}  //weight: 1, accuracy: Low
        $x_1_6 = "mettlesploit" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (5 of ($x*))
}

Immediately isolate the compromised Linux system. Identify and terminate the Mettle agent process, remove its executable (e.g., 'googlebot'), and eliminate any persistence mechanisms. Perform a comprehensive forensic analysis to determine the scope of compromise, review logs for attacker activity, rotate credentials, and patch vulnerabilities to prevent re-infection.