PUA - Chisel Tunneling Tool Execution
Detects usage of the Chisel tunneling tool via the commandline arguments
Sigma rule (View on GitHub)
1title: PUA - Chisel Tunneling Tool Execution
2id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
3related:
4 - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
5 type: similar
6status: test
7description: Detects usage of the Chisel tunneling tool via the commandline arguments
8references:
9 - https://github.com/jpillora/chisel/
10 - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
11 - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
12author: Florian Roth (Nextron Systems)
13date: 2022/09/13
14modified: 2023/02/13
15tags:
16 - attack.command_and_control
17 - attack.t1090.001
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 Image|endswith: '\chisel.exe'
24 selection_param1:
25 CommandLine|contains:
26 - 'exe client '
27 - 'exe server '
28 selection_param2:
29 CommandLine|contains:
30 - '-socks5'
31 - '-reverse'
32 - ' r:'
33 - ':127.0.0.1:'
34 - '-tls-skip-verify '
35 - ':socks'
36 condition: selection_img or all of selection_param*
37falsepositives:
38 - Some false positives may occur with other tools with similar commandlines
39level: high
References
-
A fast TCP/UDP tunnel over HTTP. Contribute to jpillora/chisel development by creating an account on GitHub.
Read More -
Learn about Arctic Wolf Lab’s recent investigation into a Lorenz ransomware intrusion which leveraged a Mitel MiVoice VOIP appliance vulnerability for initial access and Microsoft’s BitLocker Drive Encryption for data encryption.
Read More -
Discover how the Tactics, Techniques and Procedures (TTPs) used by the APT27 (Lucky Mouse) are detected using Sekoia.io.
Read More
Related rules
- HackTool - SharpChisel Execution
- Cloudflared Portable Execution
- Cloudflared Quick Tunnel Execution
- Renamed Cloudflared.EXE Execution
- RDP over Reverse SSH Tunnel WFP