Goofy Guineapig Backdoor Potential C2 Communication
Detects potential C2 communication related to Goofy Guineapig backdoor
Sigma rule (View on GitHub)
1title: Goofy Guineapig Backdoor Potential C2 Communication
2id: 4f573bb6-701a-4b8d-91db-87ae106e9a61
3status: test
4description: Detects potential C2 communication related to Goofy Guineapig backdoor
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/14
9tags:
10 - attack.command_and_control
11 - detection.emerging_threats
12logsource:
13 category: proxy
14detection:
15 selection:
16 c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36'
17 cs-host: 'static.tcplog.com'
18 condition: selection
19falsepositives:
20 - Unlikely
21level: high
References
-
%PDF-1.7 %µµµµ 1 0 obj /Metadata 2177 0 R/ViewerPreferences 2178 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Co...
Read More
Related rules
- Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
- Potential Operation Triangulation C2 Beaconing Activity - DNS
- Potential Operation Triangulation C2 Beaconing Activity - Proxy
- Small Sieve Malware Potential C2 Communication
- DPRK Threat Actor - C2 Communication DNS Indicators