LoFP LoFP / false positives should be very minimal to non existent, as the names of the packages in the lookup are all extracted from previously malicious packages.

Techniques

Sample rules

Cisco NVM - Installation of Typosquatted Python Package

Description

This analytic detects suspicious python package installations where the package name resembles popular Python libraries but may be typosquatted or slightly altered. Typosquatting is a common technique used by attackers to trick users into installing malicious packages that mimic legitimate ones. This detection leverages Cisco NVM flow telemetry and checks for pip or poetry package managers with the “install” or “add” flags, making outbound connections to package repository such as pypi.org with known or suspected typo package names.

Detection logic

`cisco_network_visibility_module_flowdata`
dest_hostname IN ("*.pythonhosted.org", "*pypi.org", "*python-poetry.org")
(
  (process_arguments = "*pip*" process_arguments = "*install*")
  OR
  (process_arguments = "*poetry*" process_arguments = "*add*")
)

| rex field=process_arguments "(?i)(?:pip
|poetry)[^
|]*?\s+(?:install
|add)\s+(?P<package_name>[^\s\"']+)$"

| lookup typo_squatted_python_packages
         typosquatted_package_name as package_name
         OUTPUTNEW comment package_official_url

| where isnotnull(comment)

| stats count min(_time) as firstTime max(_time) as lastTime
        values(parent_process_arguments) as parent_process_arguments
        values(process_arguments) as process_arguments
        values(parent_process_hash) as parent_process_hash
        values(process_hash) as process_hash
        values(module_name_list) as module_name_list
        values(module_hash_list) as module_hash_list
        values(dest_port) as dest_port
        values(aliul) as additional_logged_in_users_list
        values(dest_hostname) as dest_hostname
        by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport package_name comment package_official_url

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| table firstTime lastTime src dest_hostname dest dest_port transport  package_name comment package_official_url
  parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
  process_integrity_level process_path process_name process_arguments process_hash process_id
  additional_logged_in_users_list module_name_list module_hash_list

| `cisco_nvm___installation_of_typosquatted_python_package_filter`