Rule Library

Sigma Rules

3 rules found for "citron_ninja"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

DNS Query To Devtunnels Domain

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

WindowsDNS Query

TA0011 · Command and ControlT1071.001 · Web ProtocolsT1572 · Protocol Tunneling

citron_ninjaWed Oct 25windows

Detectionmediumtest

DNS Query To Visual Studio Code Tunnels Domain

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

WindowsDNS Query

TA0011 · Command and ControlT1071.001 · Web Protocols

citron_ninjaWed Oct 25windows

Detectionmediumtest

Visual Studio Code Tunnel Execution

Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

WindowsProcess Creation

TA0011 · Command and ControlT1071.001 · Web ProtocolsT1219 · Remote Access Software

Nasreddine Bencherchali (Nextron Systems)+1Wed Oct 25windows