Devil Bait Potential C2 Communication Traffic

Detects potential C2 communication related to Devil Bait malware

Sigma rule (View on GitHub)

 1title: Devil Bait Potential C2 Communication Traffic
 2id: 514c50c9-373a-46e5-9012-f0327c526c8f
 3status: test
 4description: Detects potential C2 communication related to Devil Bait malware
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/15
 9modified: 2023/08/23
10tags:
11    - attack.command_and_control
12    - detection.emerging_threats
13logsource:
14    category: proxy
15detection:
16    selection:
17        cs-method: 'GET'
18        cs-uri|contains|all:
19            - '/cross.php?op='
20            - '&dt='
21            - '&uid='
22    condition: selection
23falsepositives:
24    - Unlikely
25level: high

References

Related rules

to-top