Sigma Rules
315 rules found for "command-and-control"
OpenCanary - HTTPPROXY Login Attempt
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
OpenCanary - Telnet Login Attempt
Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Malicious IP Address Sign-In Failure Rate
Indicates sign-in from a malicious IP address based on high failure rates.
Malicious IP Address Sign-In Suspicious
Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
Sign-In From Malware Infected IP
Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
Activity from Suspicious IP Addresses
Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
Activity from Anonymous IP Addresses
Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
Activity from Infrequent Country
Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
Okta Security Threat Detected
Detects when an security threat is detected in Okta.
Suspicious C2 Activities
Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
Remote File Copy
Detects the use of tools that copy files from or to remote systems
Wget Creating Files in Tmp Directory
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
Communication To LocaltoNet Tunneling Service Initiated - Linux
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Potentially Suspicious Malware Callback Communication - Linux
Detects programs that connect to known malware callback ports based on threat intelligence reports.
Curl Usage on Linux
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
Connection Proxy
Detects setting proxy configuration
Potential Linux Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Suspicious Curl File Upload - Linux
Detects a suspicious curl process start the adds a file to a web request
Suspicious Curl Change User Agents - Linux
Detects a suspicious curl process start on linux with set useragent options
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
Suspicious Installer Package Child Process
Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
File Download Via Nscurl - MacOS
Detects the execution of the nscurl utility in order to download files.
Remote Access Tool - Potential MeshAgent Execution - MacOS
Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
Remote Access Tool - Renamed MeshAgent Execution - MacOS
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
Potential In-Memory Download And Compile Of Payloads
Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
Potential WizardUpdate Malware Infection
Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
Potential XCSSET Malware Infection
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
Cisco Stage Data
Various protocols maybe used to put data on the device for exfil or infil
Cobalt Strike DNS Beaconing
Detects suspicious DNS queries known from Cobalt Strike beacons
Suspicious DNS Query with B64 Encoded String
Detects suspicious DNS queries using base64 encoding
Telegram Bot API Request
Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
DNS TXT Answer with Possible Execution Strings
Detects strings used in command execution in DNS TXT Answer
Wannacry Killswitch Domain
Detects wannacry killswitch domain dns queries
Default Cobalt Strike Certificate
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
New Kind of Network (NKN) Detection
NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>
Suspicious DNS Z Flag Bit Set
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
Executable from Webdav
Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
HTTP Request to Low Reputation TLD or Suspicious File Extension
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
Windows WebDAV User Agent
Detects WebDav DownloadCradle
Download from Suspicious Dyndns Hosts
Detects download of certain file types from hosts with dynamic DNS names (selected list)
HackTool - BabyShark Agent Default URL Pattern
Detects Baby Shark C2 Framework default communication patterns
HackTool - CobaltStrike Malleable Profile Patterns - Proxy
Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
HackTool - Empire UserAgent URI Combo
Detects user agent and URI paths used by empire agents
PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Raw Paste Service Access
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form