Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects Silence EmpireDNSAgent as described in the Group-IP report
status testauthor Alina Stepchenkova, Group-IB, oscd.communityid 3ceb2083-a27f-449a-be33-14ec1b7cc973
view Sigma YAML
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: test
description: Detects Silence EmpireDNSAgent as described in the Group-IP report
references:
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019-11-01
modified: 2023-04-03
tags:
- attack.execution
- attack.t1059.001
- attack.command-and-control
- attack.t1071.004
- attack.t1572
- attack.impact
- attack.t1529
- attack.g0091
- attack.s0363
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
empire:
# better to randomise the order
ScriptBlockText|contains|all:
- 'System.Diagnostics.Process'
- 'Stop-Computer'
- 'Restart-Computer'
- 'Exception in execution'
- '$cmdargs'
- 'Close-Dnscat2Tunnel'
dnscat:
# better to randomise the order
ScriptBlockText|contains|all:
- 'set type=$LookupType`nserver'
- '$Command | nslookup 2>&1 | Out-String'
- 'New-RandomDNSField'
- '[Convert]::ToString($SYNOptions, 16)'
- '$Session.Dead = $True'
- '$Session["Driver"] -eq'
condition: empire and dnscat
falsepositives:
- Unknown
level: critical
high
Communication To LocaltoNet Tunneling Service Initiated
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
status testauthor Andreas Braathen (mnemonic.io)id 3ab65069-d82a-4d44-a759-466661a082d1
view Sigma YAML
title: Communication To LocaltoNet Tunneling Service Initiated
id: 3ab65069-d82a-4d44-a759-466661a082d1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
high
Communication To LocaltoNet Tunneling Service Initiated - Linux
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
status testauthor Andreas Braathen (mnemonic.io)id c4568f5d-131f-4e78-83d4-45b2da0ec4f1
view Sigma YAML
title: Communication To LocaltoNet Tunneling Service Initiated - Linux
id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: linux
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
high
Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
status testauthor Florian Roth (Nextron Systems)id 19bf6fdb-7721-4f3d-867f-53467f6a5db6
view Sigma YAML
title: Communication To Ngrok Tunneling Service - Linux
id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
status: test
description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of ngrok
level: high
high
Communication To Ngrok Tunneling Service Initiated
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
status testauthor Florian Roth (Nextron Systems)id 1d08ac94-400d-4469-a82f-daee9a908849
view Sigma YAML
title: Communication To Ngrok Tunneling Service Initiated
id: 1d08ac94-400d-4469-a82f-daee9a908849
related:
- id: 18249279-932f-45e2-b37a-8925f2597670
type: similar
status: test
description: |
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
modified: 2024-02-02
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of the ngrok service.
level: high
high
PUA - 3Proxy Execution
Detects the use of 3proxy, a tiny free proxy server
status testauthor Florian Roth (Nextron Systems)id f38a82d2-fba3-4781-b549-525efbec8506
view Sigma YAML
title: PUA - 3Proxy Execution
id: f38a82d2-fba3-4781-b549-525efbec8506
status: test
description: Detects the use of 3proxy, a tiny free proxy server
references:
- https://github.com/3proxy/3proxy
- https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Florian Roth (Nextron Systems)
date: 2022-09-13
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\3proxy.exe'
selection_pe:
Description: '3proxy - tiny proxy server'
selection_params: # param combos seen in the wild
CommandLine|contains: '.exe -i127.0.0.1 -p'
condition: 1 of selection_*
falsepositives:
- Administrative activity
level: high
high
PUA - Ngrok Execution
Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.
Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
status testauthor Florian Roth (Nextron Systems)id ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
view Sigma YAML
title: PUA - Ngrok Execution
id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
status: test
description: |
Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.
Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
references:
- https://ngrok.com/docs
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
- https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp
- https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection
- https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/
- https://twitter.com/xorJosh/status/1598646907802451969
- https://www.softwaretestinghelp.com/how-to-use-ngrok/
author: Florian Roth (Nextron Systems)
date: 2021-05-14
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- ' tcp 139'
- ' tcp 445'
- ' tcp 3389'
- ' tcp 5985'
- ' tcp 5986'
selection2:
CommandLine|contains|all:
- ' start '
- '--all'
- '--config'
- '.yml'
selection3:
Image|endswith: 'ngrok.exe'
CommandLine|contains:
- ' tcp '
- ' http '
- ' authtoken '
selection4:
CommandLine|contains:
- '.exe authtoken '
- '.exe start --all'
condition: 1 of selection*
falsepositives:
- Another tool that uses the command line switches of Ngrok
- Ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
level: high
high
Potential RDP Tunneling Via Plink
Execution of plink to perform data exfiltration and tunneling
status testauthor Florian Roth (Nextron Systems)id f38ce0b9-5e97-4b47-a211-7dc8d8b871da
view Sigma YAML
title: Potential RDP Tunneling Via Plink
id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da
related:
- id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d # ssh.exe
type: similar
status: test
description: Execution of plink to perform data exfiltration and tunneling
references:
- https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems)
date: 2022-08-04
modified: 2023-01-27
tags:
- attack.command-and-control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection_a:
Image|endswith: '\plink.exe'
CommandLine|contains: ':127.0.0.1:3389'
selection_b1:
Image|endswith: '\plink.exe'
CommandLine|contains: ':3389'
selection_b2:
CommandLine|contains:
- ' -P 443'
- ' -P 22'
condition: selection_a or all of selection_b*
falsepositives:
- Unknown
level: high
high
Potential RDP Tunneling Via SSH
Execution of ssh.exe to perform data exfiltration and tunneling through RDP
status testauthor Nasreddine Bencherchali (Nextron Systems)id f7d7ebd5-a016-46e2-9c54-f9932f2d386d
view Sigma YAML
title: Potential RDP Tunneling Via SSH
id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d
related:
- id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da # plink.exe
type: similar
status: test
description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2023-01-25
tags:
- attack.command-and-control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ssh.exe'
CommandLine|contains: ':3389'
condition: selection
falsepositives:
- Unknown
level: high
high
Process Initiated Network Connection To Ngrok Domain
Detects an executable initiating a network connection to "ngrok" domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
status testauthor Florian Roth (Nextron Systems)id 18249279-932f-45e2-b37a-8925f2597670
view Sigma YAML
title: Process Initiated Network Connection To Ngrok Domain
id: 18249279-932f-45e2-b37a-8925f2597670
related:
- id: 1d08ac94-400d-4469-a82f-daee9a908849
type: similar
status: test
description: |
Detects an executable initiating a network connection to "ngrok" domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
- https://ngrok.com/
- https://ngrok.com/blog-post/new-ngrok-domains
- https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
- https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
author: Florian Roth (Nextron Systems)
date: 2022-07-16
modified: 2025-07-30
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1572
- attack.t1102
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- '.ngrok-free.app'
- '.ngrok-free.dev'
- '.ngrok.app'
- '.ngrok.dev'
- '.ngrok.io'
condition: selection
falsepositives:
- Legitimate use of the ngrok service.
# Note: The level of this rule is related to your internal policy.
level: high
high
RDP Over Reverse SSH Tunnel
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
status testauthor Samir Bousseadenid 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
view Sigma YAML
title: RDP Over Reverse SSH Tunnel
id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
- https://twitter.com/cyb3rops/status/1096842275437625346
author: Samir Bousseaden
date: 2019-02-16
modified: 2024-03-12
tags:
- attack.command-and-control
- attack.t1572
- attack.lateral-movement
- attack.t1021.001
- car.2013-07-002
logsource:
category: network_connection
product: windows
detection:
selection_img:
Image|endswith: '\svchost.exe'
Initiated: 'true'
SourcePort: 3389
selection_destination:
DestinationIp|cidr:
- '127.0.0.0/8'
- '::1/128'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
RDP to HTTP or HTTPS Target Ports
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
status testauthor Florian Roth (Nextron Systems)id b1e5da3b-ca8e-4adf-915c-9921f3d85481
view Sigma YAML
title: RDP to HTTP or HTTPS Target Ports
id: b1e5da3b-ca8e-4adf-915c-9921f3d85481
status: test
description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
references:
- https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
- https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling
author: Florian Roth (Nextron Systems)
date: 2022-04-29
modified: 2022-07-14
tags:
- attack.command-and-control
- attack.t1572
- attack.lateral-movement
- attack.t1021.001
- car.2013-07-002
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
Initiated: 'true'
SourcePort: 3389
DestinationPort:
- 80
- 443
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious Plink Port Forwarding
Detects suspicious Plink tunnel port forwarding to a local port
status testauthor Florian Roth (Nextron Systems)id 48a61b29-389f-4032-b317-b30de6b95314
view Sigma YAML
title: Suspicious Plink Port Forwarding
id: 48a61b29-389f-4032-b317-b30de6b95314
status: test
description: Detects suspicious Plink tunnel port forwarding to a local port
references:
- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
author: Florian Roth (Nextron Systems)
date: 2021-01-19
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1572
- attack.lateral-movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection:
Description: 'Command-line SSH, Telnet, and Rlogin client'
CommandLine|contains: ' -R '
condition: selection
falsepositives:
- Administrative activity using a remote port forwarding to a local port
level: high
medium
Cloudflared Tunnel Connections Cleanup
Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 7050bba1-1aed-454e-8f73-3f46f09ce56a
view Sigma YAML
title: Cloudflared Tunnel Connections Cleanup
id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
status: test
description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
references:
- https://github.com/cloudflare/cloudflared
- https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-21
tags:
- attack.command-and-control
- attack.t1102
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' tunnel '
- 'cleanup '
CommandLine|contains:
- '-config '
- '-connector-id '
condition: selection
falsepositives:
- Legitimate usage of Cloudflared.
level: medium
medium
Cloudflared Tunnel Execution
Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
status testauthor Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)id 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
view Sigma YAML
title: Cloudflared Tunnel Execution
id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
status: test
description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
references:
- https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
- https://github.com/cloudflare/cloudflared
- https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-20
tags:
- attack.command-and-control
- attack.t1102
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' tunnel '
- ' run '
CommandLine|contains:
- '-config '
- '-credentials-contents '
- '-credentials-file '
- '-token '
condition: selection
falsepositives:
- Legitimate usage of Cloudflared tunnel.
level: medium
medium
Cloudflared Tunnels Related DNS Requests
Detects DNS requests to Cloudflared tunnels domains.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status testauthor Nasreddine Bencherchali (Nextron Systems)id a1d9eec5-33b2-4177-8d24-27fe754d0812
view Sigma YAML
title: Cloudflared Tunnels Related DNS Requests
id: a1d9eec5-33b2-4177-8d24-27fe754d0812
related:
- id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
type: similar
status: test
description: |
Detects DNS requests to Cloudflared tunnels domains.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-20
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1572
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|endswith:
- '.v2.argotunnel.com'
- 'protocol-v2.argotunnel.com'
- 'trycloudflare.com'
- 'update.argotunnel.com'
condition: selection
falsepositives:
- Legitimate use of cloudflare tunnels will also trigger this.
level: medium
medium
DNS Query To Devtunnels Domain
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status testauthor citron_ninjaid 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
view Sigma YAML
title: DNS Query To Devtunnels Domain
id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
related:
- id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
type: similar
- id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
type: similar
- id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
type: similar
status: test
description: |
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
- https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
- https://cydefops.com/devtunnels-unleashed
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1572
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|endswith: '.devtunnels.ms'
condition: selection
falsepositives:
- Legitimate use of Devtunnels will also trigger this.
level: medium
medium
Network Connection Initiated To BTunnels Domains
Detects network connections to BTunnels domains initiated by a process on the system.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status testauthor Kamran Saifullahid 9e02c8ec-02b9-43e8-81eb-34a475ba7965
view Sigma YAML
title: Network Connection Initiated To BTunnels Domains
id: 9e02c8ec-02b9-43e8-81eb-34a475ba7965
status: test
description: |
Detects network connections to BTunnels domains initiated by a process on the system.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/
author: Kamran Saifullah
date: 2024-09-13
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1572
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith: '.btunnel.co.in'
condition: selection
falsepositives:
- Legitimate use of BTunnels will also trigger this.
level: medium
medium
Network Connection Initiated To Cloudflared Tunnels Domains
Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status testauthor Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)id 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
view Sigma YAML
title: Network Connection Initiated To Cloudflared Tunnels Domains
id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
related:
- id: a1d9eec5-33b2-4177-8d24-27fe754d0812
type: derived
status: test
description: |
Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
- Internal Research
author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-27
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1572
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- '.v2.argotunnel.com'
- 'protocol-v2.argotunnel.com'
- 'trycloudflare.com'
- 'update.argotunnel.com'
condition: selection
falsepositives:
- Legitimate use of cloudflare tunnels will also trigger this.
level: medium
medium
Network Connection Initiated To DevTunnels Domain
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status testauthor Kamran Saifullahid 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
view Sigma YAML
title: Network Connection Initiated To DevTunnels Domain
id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
related:
- id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
type: similar
- id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
type: similar
- id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
type: similar
status: test
description: |
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
- https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
- https://cydefops.com/devtunnels-unleashed
author: Kamran Saifullah
date: 2023-11-20
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567.001
- attack.t1572
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith: '.devtunnels.ms'
condition: selection
falsepositives:
- Legitimate use of Devtunnels will also trigger this.
level: medium
medium
Network Connection Initiated To Visual Studio Code Tunnels Domain
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status testauthor Kamran Saifullahid 4b657234-038e-4ad5-997c-4be42340bce4
view Sigma YAML
title: Network Connection Initiated To Visual Studio Code Tunnels Domain
id: 4b657234-038e-4ad5-997c-4be42340bce4
related:
- id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
type: similar
- id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
type: similar
- id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
type: similar
status: test
description: |
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://cydefops.com/vscode-data-exfiltration
author: Kamran Saifullah
date: 2023-11-20
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1572
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith: '.tunnels.api.visualstudio.com'
condition: selection
falsepositives:
- Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium
medium
Port Forwarding Activity Via SSH.EXE
Detects port forwarding activity via SSH.exe
status testauthor Nasreddine Bencherchali (Nextron Systems)id 327f48c1-a6db-4eb8-875a-f6981f1b0183
view Sigma YAML
title: Port Forwarding Activity Via SSH.EXE
id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
status: test
description: Detects port forwarding activity via SSH.exe
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2024-03-05
tags:
- attack.command-and-control
- attack.lateral-movement
- attack.t1572
- attack.t1021.001
- attack.t1021.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ssh.exe'
CommandLine|contains|windash: ' -R '
condition: selection
falsepositives:
- Administrative activity using a remote port forwarding to a local port
level: medium
medium
Potentially Suspicious Usage Of Qemu
Detects potentially suspicious execution of the Qemu utility in a Windows environment.
Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
status testauthor Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)id 5fc297ae-25b6-488a-8f25-cc12ac29b744
view Sigma YAML
title: Potentially Suspicious Usage Of Qemu
id: 5fc297ae-25b6-488a-8f25-cc12ac29b744
status: test
description: |
Detects potentially suspicious execution of the Qemu utility in a Windows environment.
Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
references:
- https://securelist.com/network-tunneling-with-qemu/111803/
- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5
author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)
date: 2024-06-03
tags:
- attack.command-and-control
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '-m 1M' # VM with just 1MB of ram is insufficient this is a suspicious flag
- '-m 2M'
- '-m 3M'
CommandLine|contains|all:
- 'restrict=off'
- '-netdev '
- 'connect='
- '-nographic' # This is also a key detection no one invoke without UI from console usually its a flag.
filter_main_normal_usecase:
CommandLine|contains:
- ' -cdrom ' # Normal usage cases
- ' type=virt '
- ' -blockdev '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium