Detectionmediumtest

Network Connection Initiated To BTunnels Domains

Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Kamran SaifullahCreated Fri Sep 139e02c8ec-02b9-43e8-81eb-34a475ba7965windows

Log Source

WindowsNetwork Connection

ProductWindows← raw: windows

CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic

detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.btunnel.co.in'
    condition: selection

False Positives

Legitimate use of BTunnels will also trigger this.

References

Resolving title…

defr0ggy.github.io

MITRE ATT&CK

Tactics

TA0010 · Exfiltration TA0011 · Command and Control

Techniques

T1567 · Exfiltration Over Web Service T1572 · Protocol Tunneling

Rule Metadata

Rule ID

9e02c8ec-02b9-43e8-81eb-34a475ba7965

Status

test

Level

medium

Type

Detection

Created

Fri Sep 13

Author

Kamran Saifullah

Path

rules/windows/network_connection/net_connection_win_domain_btunnels.yml

Raw Tags

attack.exfiltrationattack.command-and-controlattack.t1567attack.t1572

View on GitHub