Threat Huntmediumtest

Tunneling Tool Execution

Detects the execution of well known tools that can be abused for data exfiltration and tunneling.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Daniil Yugoslavskiy, oscd.communityCreated Thu Oct 24Updated Thu Jan 18c75309a3-59f8-4a8d-9c2c-4c927ad50555windows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith:
            - '\httptunnel.exe'
            - '\plink.exe'
            - '\socat.exe'
            - '\stunnel.exe'
    condition: selection

False Positives

Legitimate administrators using one of these tools

References

Resolving title…

microsoft.com

MITRE ATT&CK

Tactics

TA0010 · Exfiltration TA0011 · Command and Control

Techniques

T1041 · Exfiltration Over C2 Channel T1572 · Protocol Tunneling

Sub-techniques

T1071.001 · Web Protocols

Other

detection.threat-hunting

Rule Metadata

Rule ID

c75309a3-59f8-4a8d-9c2c-4c927ad50555

Status

test

Level

medium

Type

Threat Hunt

Created

Thu Oct 24

Modified

Thu Jan 18

Author

Daniil Yugoslavskiy, oscd.community

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml

Raw Tags

attack.exfiltrationattack.command-and-controlattack.t1041attack.t1572attack.t1071.001detection.threat-hunting

View on GitHub