Suspicious C2 Activities

calendar Oct 18, 2025 · attack.command-and-control  ·
Share on: linkedin copy

Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)

Sigma rule (View on GitHub)

 1title: Suspicious C2 Activities
 2id: f7158a64-6204-4d6d-868a-6e6378b467e0
 3status: test
 4description: |
 5    Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.
 6    This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
 7    These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)    
 8references:
 9    - https://github.com/Neo23x0/auditd
10author: Marie Euler
11date: 2020-05-18
12modified: 2021-11-27
13tags:
14    - attack.command-and-control
15logsource:
16    product: linux
17    service: auditd
18    definition: |
19        Required auditd configuration:
20        -w /usr/bin/wget -p x -k susp_activity
21        -w /usr/bin/curl -p x -k susp_activity
22        -w /usr/bin/base64 -p x -k susp_activity
23        -w /bin/nc -p x -k susp_activity
24        -w /bin/netcat -p x -k susp_activity
25        -w /usr/bin/ncat -p x -k susp_activity
26        -w /usr/bin/ss -p x -k susp_activity
27        -w /usr/bin/netstat -p x -k susp_activity
28        -w /usr/bin/ssh -p x -k susp_activity
29        -w /usr/bin/scp -p x -k susp_activity
30        -w /usr/bin/sftp -p x -k susp_activity
31        -w /usr/bin/ftp -p x -k susp_activity
32        -w /usr/bin/socat -p x -k susp_activity
33        -w /usr/bin/wireshark -p x -k susp_activity
34        -w /usr/bin/tshark -p x -k susp_activity
35        -w /usr/bin/rawshark -p x -k susp_activity
36        -w /usr/bin/rdesktop -p x -k susp_activity
37        -w /usr/local/bin/rdesktop -p x -k susp_activity
38        -w /usr/bin/wlfreerdp -p x -k susp_activity
39        -w /usr/bin/xfreerdp -p x -k susp_activity
40        -w /usr/local/bin/xfreerdp -p x -k susp_activity
41        -w /usr/bin/nmap -p x -k susp_activity
42        (via https://github.com/Neo23x0/auditd/blob/ddf2603dbc985f97538d102f13b4e4446b402bae/audit.rules#L336)        
43detection:
44    selection:
45        key: 'susp_activity'
46    condition: selection
47falsepositives:
48    - Admin or User activity
49level: medium

References

Related rules

to-top