Suspicious C2 Activities
Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
Sigma rule (View on GitHub)
1title: Suspicious C2 Activities
2id: f7158a64-6204-4d6d-868a-6e6378b467e0
3status: test
4description: |
5 Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.
6 This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
7 These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
8references:
9 - https://github.com/Neo23x0/auditd
10author: Marie Euler
11date: 2020/05/18
12modified: 2021/11/27
13tags:
14 - attack.command_and_control
15logsource:
16 product: linux
17 service: auditd
18detection:
19 selection:
20 key: 'susp_activity'
21 condition: selection
22falsepositives:
23 - Admin or User activity
24level: medium
References
-
Best Practice Auditd Configuration. Contribute to Neo23x0/auditd development by creating an account on GitHub.
Read More
Related rules
- DNS Query To Remote Access Software Domain From Non-Browser App
- GALLIUM IOCs
- New Port Forwarding Rule Added Via Netsh.EXE
- ScreenConnect Temporary Installation Artefact
- Suspicious Download from Office Domain