Emerging Threathightest

ComRAT Network Communication

Detects Turla ComRAT network communication.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Tue May 26Updated Mon Feb 267857f021-007f-4928-8b2c-7aedbe64bb822020

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        c-uri|contains: '/index/index.php\?h='
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Sub-techniques

Groups

Other

detection.emerging-threats

Rule Metadata

Rule ID

7857f021-007f-4928-8b2c-7aedbe64bb82

Status

test

Level

high

Type

Emerging Threat

Created

Tue May 26

Modified

Mon Feb 26

Author

Path

rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml

Raw Tags

attack.defense-evasionattack.command-and-controlattack.t1071.001attack.g0010detection.emerging-threats