Goofy Guineapig Backdoor Potential C2 Communication
Detects potential C2 communication related to Goofy Guineapig backdoor
Sigma rule (View on GitHub)
1title: Goofy Guineapig Backdoor Potential C2 Communication
2id: 4f573bb6-701a-4b8d-91db-87ae106e9a61
3status: test
4description: Detects potential C2 communication related to Goofy Guineapig backdoor
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-14
9tags:
10 - attack.command-and-control
11 - detection.emerging-threats
12logsource:
13 category: proxy
14detection:
15 selection:
16 c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36'
17 cs-host: 'static.tcplog.com'
18 condition: selection
19falsepositives:
20 - Unlikely
21level: high
References
Related rules
- DPRK Threat Actor - C2 Communication DNS Indicators
- Devil Bait Potential C2 Communication Traffic
- Equation Group C2 Communication
- GALLIUM Artefacts - Builtin
- Greenbug Espionage Group Indicators