Devil Bait Potential C2 Communication Traffic
Detects potential C2 communication related to Devil Bait malware
Sigma rule (View on GitHub)
1title: Devil Bait Potential C2 Communication Traffic
2id: 514c50c9-373a-46e5-9012-f0327c526c8f
3status: experimental
4description: Detects potential C2 communication related to Devil Bait malware
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/15
9modified: 2023/08/23
10tags:
11 - attack.command_and_control
12 - detection.emerging_threats
13logsource:
14 category: proxy
15detection:
16 selection:
17 cs-method: 'GET'
18 cs-uri|contains|all:
19 - '/cross.php?op='
20 - '&dt='
21 - '&uid='
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
Related rules
- GALLIUM IOCs
- Goofy Guineapig Backdoor Potential C2 Communication
- Greenbug Espionage Group Indicators
- OilRig APT Activity
- OilRig APT Schedule Task Persistence - Security