Deployable detection rules
2 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
2 shown of 2Deprecated - Potential DNS Tunneling via Iodine
Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls,
network security groups, and network access lists while evading detection.
Show query
event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)
Deprecated - Potential Protocol Tunneling via Chisel Server
This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received
connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP
tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to
establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating
tunnels that allow unauthorized access to internal systems.
Show query
sequence by host.id, process.entity_id with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.args == "server" and process.args in ("--port", "-p", "--reverse", "--backend", "--socks5") and
process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
[network where host.os.type == "linux" and event.type == "start" and event.action == "connection_accepted" and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and
not process.name : (
"python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
"ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")]
Showing 1-2 of 2