Obfuscated IP Via CLI
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
Sigma rule (View on GitHub)
1title: Obfuscated IP Via CLI
2id: 56d19cb4-6414-4769-9644-1ed35ffbb148
3status: test
4description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
5references:
6 - https://h.43z.one/ipconverter/
7 - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
8author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
9date: 2022-08-03
10modified: 2023-11-06
11tags:
12 - attack.discovery
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 Image|endswith:
19 - '\ping.exe'
20 - '\arp.exe'
21 selection_ip_1:
22 CommandLine|contains:
23 - ' 0x'
24 - '//0x'
25 - '.0x'
26 - '.00x'
27 selection_ip_2:
28 CommandLine|contains|all:
29 - 'http://%'
30 - '%2e'
31 selection_ip_3:
32 # http://81.4.31754
33 - CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
34 # http://81.293898
35 - CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
36 # http://1359248394
37 - CommandLine|re: 'https?://0[0-9]{3,11}'
38 # http://0121.04.0174.012
39 - CommandLine|re: 'https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}'
40 # http://012101076012
41 - CommandLine|re: 'https?://0[0-9]{1,11}'
42 # For octal format
43 - CommandLine|re: ' [0-7]{7,13}'
44 filter_main_valid_ip:
45 CommandLine|re: 'https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}'
46 condition: selection_img and 1 of selection_ip_* and not 1 of filter_main_*
47falsepositives:
48 - Unknown
49level: medium
References
Related rules
- Security Software Discovery Via Powershell Script
- System Network Discovery - macOS
- File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- Potential Active Directory Reconnaissance/Enumeration Via LDAP