Potential Etherhiding C2 via Blockchain Connection

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when a scripting interpreter makes an outbound network connection to an Ethereum blockchain endpoint 
 11for command and control purposes. Adversaries may leverage Ethereum blockchain infrastructure as a covert C2 
 12channel to receive commands and exfiltrate data, as observed in campaigns like SleepyDuck malware.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.network-*", "logs-endpoint.events.file-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Etherhiding C2 via Blockchain Connection"
 19references = [
 20    "https://secureannex.com/blog/sleepyduck-malware/"
 21]
 22risk_score = 73
 23rule_id = "bba8c7d1-172b-435d-9034-02ed9289c628"
 24severity = "high"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: macOS",
 28    "Use Case: Threat Detection",
 29    "Tactic: Command and Control",
 30    "Tactic: Execution",
 31    "Data Source: Elastic Defend",
 32    "Resources: Investigation Guide"
 33]
 34type = "eql"
 35note = """## Triage and analysis
 36
 37> **Disclaimer**:
 38> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 39
 40### Investigating Potential Etherhiding C2 via Blockchain Connection
 41
 42Etherhiding is an advanced command and control technique where threat actors store malicious configurations, commands, or payload URLs within blockchain transactions on platforms like Ethereum or Binance Smart Chain. This approach provides a highly resilient and censorship-resistant C2 infrastructure since blockchain data cannot be taken down or modified. This detection rule identifies script interpreters or suspicious processes connecting to blockchain API endpoints that may be retrieving attacker-controlled data from the blockchain.
 43
 44### Possible investigation steps
 45
 46- Review the process.name and process.executable fields to identify which application is making blockchain API requests and assess whether cryptocurrency or Web3 functionality is expected on this system.
 47- Examine the destination.domain and dns.question.name fields to identify the specific blockchain API endpoint being queried, such as Infura, Alchemy, or public RPC endpoints.
 48- Analyze the process.command_line and process.args to understand what code or script is executing and look for hardcoded contract addresses or wallet addresses that may be querying blockchain data.
 49- Investigate the process.parent.executable and parent process chain to determine how the blockchain-querying process was launched and identify the initial execution vector.
 50- Review network connection payloads if available to identify the specific blockchain queries being made and extract any contract addresses or transaction hashes being queried.
 51- Search threat intelligence sources for the identified contract addresses or wallet addresses to determine if they are associated with known malicious campaigns.
 52- Correlate with file modification events on the same host to identify if the blockchain data is being written to disk or used to configure malware.
 53
 54### False positive analysis
 55
 56- Cryptocurrency wallet applications and browser extensions legitimately access blockchain APIs to display balances and transaction history. Verify if the user has approved cryptocurrency applications.
 57- Web3 developers and blockchain application developers may use blockchain APIs during development and testing. Confirm with development teams if such activities are expected.
 58- Decentralized application (dApp) browsers and related tools access blockchain data as part of normal operations. Verify if these tools are sanctioned for business use.
 59- NFT marketplaces and related applications may query blockchain data for asset verification. Confirm if such applications are approved.
 60
 61### Response and remediation
 62
 63- Immediately isolate the affected macOS system from the network to prevent further C2 communication or payload retrieval.
 64- Terminate the suspicious process making blockchain API connections and prevent it from restarting.
 65- Extract and analyze the blockchain contract addresses or transaction data being queried to understand the malicious payload or configuration.
 66- Conduct a thorough malware analysis of the responsible application to identify its full capabilities and persistence mechanisms.
 67- Block the identified blockchain API endpoints at the network perimeter if they are not required for legitimate business purposes.
 68- Search for similar blockchain API connections across other endpoints to identify potential lateral movement or additional compromised systems.
 69- Escalate to the security operations team for comprehensive incident response if the activity confirms an active Etherhiding-based attack.
 70"""
 71query = '''
 72sequence by process.entity_id with maxspan=15s
 73  [network where host.os.type == "macos" and event.type == "start" and
 74    (process.name in ("bash", "sh", "zsh", "osascript", "node", "Cursor") or
 75    process.name like ("python*", "ruby*", "perl*", "tclsh*")) and
 76    destination.domain like ("eth-mainnet*", "ethereum*", "eth.*.com")]
 77  [file where host.os.type == "macos" and event.action == "modification" and file.extension in ("js", "py", "sh")]
 78'''
 79
 80[[rule.threat]]
 81framework = "MITRE ATT&CK"
 82
 83  [rule.threat.tactic]
 84  name = "Command and Control"
 85  id = "TA0011"
 86  reference = "https://attack.mitre.org/tactics/TA0011/"
 87
 88  [[rule.threat.technique]]
 89  name = "Web Service"
 90  id = "T1102"
 91  reference = "https://attack.mitre.org/techniques/T1102/"
 92
 93    [[rule.threat.technique.subtechnique]]
 94    name = "Bidirectional Communication"
 95    id = "T1102.002"
 96    reference = "https://attack.mitre.org/techniques/T1102/002/"
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100
101  [rule.threat.tactic]
102  name = "Execution"
103  id = "TA0002"
104  reference = "https://attack.mitre.org/tactics/TA0002/"
105
106  [[rule.threat.technique]]
107  name = "Command and Scripting Interpreter"
108  id = "T1059"
109  reference = "https://attack.mitre.org/techniques/T1059/"
110
111    [[rule.threat.technique.subtechnique]]
112    name = "Unix Shell"
113    id = "T1059.004"
114    reference = "https://attack.mitre.org/techniques/T1059/004/"
115
116    [[rule.threat.technique.subtechnique]]
117    name = "Python"
118    id = "T1059.006"
119    reference = "https://attack.mitre.org/techniques/T1059/006/"
120
121    [[rule.threat.technique.subtechnique]]
122    name = "JavaScript"
123    id = "T1059.007"
124    reference = "https://attack.mitre.org/techniques/T1059/007/"