Small Sieve Malware Potential C2 Communication
Detects potential C2 communication related to Small Sieve malware
Sigma rule (View on GitHub)
1title: Small Sieve Malware Potential C2 Communication
2id: b0422664-37a4-4e78-949a-4a139309eaf0
3status: test
4description: Detects potential C2 communication related to Small Sieve malware
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/19
9tags:
10 - attack.command_and_control
11 - detection.emerging_threats
12logsource:
13 category: proxy
14detection:
15 selection:
16 cs-method: 'GET'
17 cs-host: 'api.telegram.org'
18 cs-uri|contains|all:
19 - 'chat_id=2090761833'
20 - 'text=com/'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: critical
References
-
%PDF-1.7 %µµµµ 1 0 obj /Metadata 2177 0 R/ViewerPreferences 2178 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Co...
Read More
Related rules
- Goofy Guineapig Backdoor Potential C2 Communication
- Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
- Potential Operation Triangulation C2 Beaconing Activity - DNS
- Potential Operation Triangulation C2 Beaconing Activity - Proxy
- DPRK Threat Actor - C2 Communication DNS Indicators