attack.command_and_control

ScreenConnect Backstage Mode Anomaly
level
status experimental

Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode

Tor Client or Tor Browser Use
level
status experimental

Detects the use of Tor or Tor-Browser to connect to onion routing networks

Query Tor Onion Address
level
status experimental

Detects DNS resolution of an .onion address related to Tor routing networks

ScreenConnect Temporary Installation Artefact
level
status experimental

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

GoToAssist Temporary Installation Artefact
level
status experimental

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Query to LogMeIn Remote Access Software Domain
level
status experimental

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Anydesk Temporary Artefact
level
status experimental

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

TeamViewer Remote Session
level
status experimental

Detects the creation of log files during a TeamViewer remote session

Suspicious TeamViewer Domain Access
level
status experimental

Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn’t named TeamViewer (sometimes used by threat actors for obfuscation)

Installation of TeamViewer Desktop
level
status experimental

TeamViewer_Desktop.exe is create during install

Change User Agents with WebRequest
level
status experimental

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Testing Usage of Uncommonly Used Port
level
status experimental

Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.

Suspicious SSL Connection
level
status experimental

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

Download a File with IMEWDBLD.exe
level
status experimental

Use IMEWDBLD.exe (built-in to windows) to download a file

Suspicious Minimized MSEdge Start
level
status

Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet

Suspicious Diantz Download and Compress Into a CAB File
level
status experimental

Download and compress a remote file and store it in a cab file on local machine.

AppInstaller Attempts From URL by DNS
level
status experimental

AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL

Suspicious Certreq Command to Download
level
status experimental

Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files

Chafer Activity
level
status experimental

Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018

Netcat The Powershell Version
level
status experimental

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Ncat Execution
level
status experimental

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Default Cobalt Strike Certificate
level
status experimental

Detects the presence of default Cobalt Strike certificate in the HTTPS traffic

Outlook C2 Registry Key
level
status experimental

Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.

Wannacry Killswitch Domain
level
status test

Detects wannacry killswitch domain dns queries

DNSCat2 Powershell Implementation Detection Via Process Creation
level
status test

The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.

Empire UserAgent URI Combo
level
status test

Detects user agent and URI paths used by empire agents

Remote File Copy
level
status stable

Detects the use of tools that copy files from or to remote systems

Potential Remote Desktop Connection to Non-Domain Host
level
status test

Detects logons using NTLM to hosts that are potentially not part of the domain.

Notepad Making Network Connection
level
status test

Detects suspicious network connection by Notepad

PwnDrp Access
level
status test

Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

Suspicious LDAP-Attributes Used
level
status test

Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.

Suspicious ADSI-Cache Usage By Unknown Tool
level
status test

Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.

PowerShell DownloadFile
level
status test

Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line

Curl Start Combination
level
status test

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Silence.EDA Detection
level
status test

Detects Silence empireDNSagent

Cisco Stage Data
level
status test

Various protocols maybe used to put data on the device for exfil or infil

High TXT Records Requests Rate
level
status test

Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution

High NULL Records Requests Rate
level
status test

Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution

High DNS Requests Rate
level
status experimental

High DNS requests amount from host per short period of time

High DNS Requests Rate
level
status experimental

High DNS requests amount from host per short period of time

Exfiltration and Tunneling Tools Execution
level
status test

Execution of well known tools for data exfiltration and tunneling

Crypto Miner User Agent
level
status test

Detects suspicious user agent strings used by crypto miners in proxy logs

Possible DNS Tunneling
level
status test

Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.

RDP over Reverse SSH Tunnel WFP
level
status experimental

Detects svchost hosting RDP termsvcs communicating with the loopback address

Chafer Malware URL Pattern
level
status test

Detects HTTP requests used by Chafer malware

Suspicious TSCON Start as SYSTEM
level
status experimental

Detects a tscon.exe start as LOCAL SYSTEM

Suspicious Certutil Command
level
status experimental

Detects a suspicious Microsoft certutil execution with sub commands like ‘decode’ sub command, which is sometimes used to decode malicious code with the built-in certutil utility

MsiExec Web Install
level
status test

Detects suspicious msiexec process starts with web addresses as parameter

Command Line Execution with Suspicious URL and AppData Strings
level
status test

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

CobaltStrike Malleable (OCSP) Profile
level
status test

Detects Malleable (OCSP) Profile with Typo (OSCP) in URL

Suspicious DNS Query with B64 Encoded String
level
status experimental

Detects suspicious DNS queries using base64 encoding

Cobalt Strike DNS Beaconing
level
status experimental

Detects suspicious DNS queries known from Cobalt Strike beacons

Equation Group C2 Communication
level
status test

Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools

Suspicious Typical Malware Back Connect Ports
level
status test

Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases

Windows WebDAV User Agent
level
status test

Detects WebDav DownloadCradle

Windows PowerShell User Agent
level
status test

Detects Windows PowerShell Web Access

Windows Update Client LOLBIN
level
status experimental

Detects code execution via the Windows Update client (wuauclt)

Turla ComRAT
level
status test

Detects Turla ComRAT patterns

Telegram Bot API Request
level
status experimental

Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind

Telegram API Access
level
status test

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Suspicious User Agent
level
status experimental

Detects suspicious malformed user agent strings in proxy logs

Suspicious Replace.exe Execution
level
status experimental

Replace.exe is used to replace file with another file

Suspicious Plink Remote Forwarding
level
status experimental

Detects suspicious Plink tunnel remote forarding to a local port

Suspicious DNS Z Flag Bit Set
level
status experimental

The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs

Suspicious Desktopimgdownldr Command
level
status test

Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet

Suspicious Curl Usage on Windows
level
status test

Detects a suspicious curl process start on Windows and outputs the requested document to a local file

Suspicious Cobalt Strike DNS Beaconing
level
status experimental

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Suspicious C2 Activities
level
status test

Detects suspicious activities as declared by Florian Roth in its ‘Best Practice Auditd Configuration’. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics “Command and Control”, including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)

Raw Paste Service Access
level
status test

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

PortProxy Registry Key
level
status experimental

Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.

Outlook C2 Macro Creation
level
status experimental

Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.

Ngrok Usage
level
status experimental

Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.

Netsh RDP Port Forwarding
level
status test

Detects netsh commands that configure a port forwarding of port 3389 used for RDP

Netsh Port Forwarding
level
status experimental

Detects netsh commands that configure a port forwarding (PortProxy)

Malware User Agent
level
status test

Detects suspicious user agent strings used by malware in proxy logs

Hijack Legit RDP Session to Move Laterally
level
status test

Detects the usage of tsclient share to place a backdoor on the RDP source machine’s startup folder

Greenbug Campaign Indicators
level
status test

Detects tools and process executions as observed in a Greenbug campaign in May 2020

GfxDownloadWrapper.exe Downloads File from Suspicious URL
level
status test

Detects when GfxDownloadWrapper.exe downloads file from non standard URL

GALLIUM Artefacts
level
status experimental

Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.

Finger.exe Suspicious Invocation
level
status experimental

Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays

File Download with Headless Browser
level
status

This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.

Exploit Framework User Agent
level
status test

Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

Empty User Agent
level
status test

Detects suspicious empty user agent strings in proxy logs

Download from Suspicious Dyndns Hosts
level
status test

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Domestic Kitten FurBall Malware Pattern
level
status experimental

Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group

DNS TXT Answer with Possible Execution Strings
level
status test

Detects strings used in command execution in DNS TXT Answer

DNS Tunnel Technique from MuddyWater
level
status test

Detecting DNS tunnel activity for Muddywater actor

CobaltStrike Malformed UAs in Malleable Profiles
level
status experimental

Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike

BabyShark Agent Pattern
level
status experimental

Detects Baby Shark C2 Framework communication patterns

APT40 Dropbox Tool User Agent
level
status test

Detects suspicious user agent string of APT40 Dropbox tool

APT User Agent
level
status test

Detects suspicious user agent strings used in APT malware in proxy logs

Antivirus Exploitation Framework Detection
level
status test

Detects a highly relevant Antivirus alert that reports an exploitation framework

Activity from Suspicious IP Addresses
level
status experimental

Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.

Activity from Infrequent Country
level
status experimental

Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn’t recently or never visited by any user in the organization.

Activity from Anonymous IP Addresses
level
status experimental

Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.