Merge PR SigmaHQ#5003 from @deFr0ggy - Add `Network Connection Initia…

…ted To BTunnels Domains` new: Network Connection Initiated To BTunnels Domains --------- Co-authored-by: frack113 <[email protected]> Co-authored-by: nasbench <[email protected]>
SavinSpring · Sep 13, 2024 · 71be3c7 · 71be3c7
1 parent fedc6f4
commit 71be3c7
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/rules/windows/network_connection/net_connection_win_domain_btunnels.yml b/rules/windows/network_connection/net_connection_win_domain_btunnels.yml
@@ -0,0 +1,24 @@
+title: Network Connection Initiated To BTunnels Domains
+id: 9e02c8ec-02b9-43e8-81eb-34a475ba7965
+status: experimental
+description: |
+    Detects network connections to BTunnels domains initiated by a process on the system.
+    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
+references:
+    - https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/
+author: Kamran Saifullah
+date: 2024-09-13
+tags:
+    - attack.exfiltration
+    - attack.t1567.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Initiated: 'true'
+        DestinationHostname|endswith: '.btunnel.co.in'
+    condition: selection
+falsepositives:
+    - Legitimate use of BTunnels will also trigger this.
+level: medium