Network Connection Initiated To BTunnels Domains
Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Sigma rule (View on GitHub)
1title: Network Connection Initiated To BTunnels Domains
2id: 9e02c8ec-02b9-43e8-81eb-34a475ba7965
3status: test
4description: |
5 Detects network connections to BTunnels domains initiated by a process on the system.
6 Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
7references:
8 - https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/
9author: Kamran Saifullah
10date: 2024-09-13
11tags:
12 - attack.exfiltration
13 - attack.command-and-control
14 - attack.t1567
15 - attack.t1572
16logsource:
17 category: network_connection
18 product: windows
19detection:
20 selection:
21 Initiated: 'true'
22 DestinationHostname|endswith: '.btunnel.co.in'
23 condition: selection
24falsepositives:
25 - Legitimate use of BTunnels will also trigger this.
26level: medium
References
-
Utilizing BTunnel to create tunnels without detections in order to exfiltrate data and to have persistence across the network over the internet.
Read More
Related rules
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Network Connection Initiated To Cloudflared Tunnels Domains
- Process Initiated Network Connection To Ngrok Domain
- Communication To Ngrok Tunneling Service - Linux
- Communication To Ngrok Tunneling Service Initiated