Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

PUA - Chisel Tunneling Tool Execution

Detects usage of the Chisel tunneling tool via the commandline arguments

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Tue Sep 13Updated Mon Feb 138b0e12da-d3c3-49db-bb4f-256703f380e5windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        Image|endswith: '\chisel.exe'
    selection_param1:
        CommandLine|contains:
            - 'exe client '
            - 'exe server '
    selection_param2:
        CommandLine|contains:
            - '-socks5'
            - '-reverse'
            - ' r:'
            - ':127.0.0.1:'
            - '-tls-skip-verify '
            - ':socks'
    condition: selection_img or all of selection_param*
False Positives

Some false positives may occur with other tools with similar commandlines

References
1
Resolving title…
github.com
2
Resolving title…
arcticwolf.com
3
Resolving title…
blog.sekoia.io
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

HackTool - SharpChisel Execution

Detects usage of the Sharp Chisel via the commandline arguments

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
8b0e12da-d3c3-49db-bb4f-256703f380e5
Status
test
Level
high
Type
Detection
Created
Tue Sep 13
Modified
Mon Feb 13
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_pua_chisel.yml
Raw Tags
attack.command-and-controlattack.t1090.001
View on GitHub