Network Connection Initiated To BTunnels Domains
Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Sigma rule (View on GitHub)
1title: Network Connection Initiated To BTunnels Domains
2id: 9e02c8ec-02b9-43e8-81eb-34a475ba7965
3status: experimental
4description: |
5 Detects network connections to BTunnels domains initiated by a process on the system.
6 Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
7references:
8 - https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/
9author: Kamran Saifullah
10date: 2024-09-13
11tags:
12 - attack.exfiltration
13 - attack.t1567.001
14logsource:
15 category: network_connection
16 product: windows
17detection:
18 selection:
19 Initiated: 'true'
20 DestinationHostname|endswith: '.btunnel.co.in'
21 condition: selection
22falsepositives:
23 - Legitimate use of BTunnels will also trigger this.
24level: medium
References
-
Utilizing BTunnel to create tunnels without detections in order to exfiltrate data and to have persistence across the network over the internet.
Read More
Related rules
- Network Connection Initiated To Cloudflared Tunnels Domains
- Network Connection Initiated To DevTunnels Domain
- Network Connection Initiated To Mega.nz
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Process Initiated Network Connection To Ngrok Domain