Devil Bait Potential C2 Communication Traffic
Detects potential C2 communication related to Devil Bait malware
Sigma rule (View on GitHub)
1title: Devil Bait Potential C2 Communication Traffic
2id: 514c50c9-373a-46e5-9012-f0327c526c8f
3status: test
4description: Detects potential C2 communication related to Devil Bait malware
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-15
9modified: 2023-08-23
10tags:
11 - attack.command-and-control
12 - detection.emerging-threats
13logsource:
14 category: proxy
15detection:
16 selection:
17 cs-method: 'GET'
18 cs-uri|contains|all:
19 - '/cross.php?op='
20 - '&dt='
21 - '&uid='
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
Related rules
- DPRK Threat Actor - C2 Communication DNS Indicators
- Equation Group C2 Communication
- GALLIUM Artefacts - Builtin
- Goofy Guineapig Backdoor Potential C2 Communication
- Greenbug Espionage Group Indicators