attack.t1102

Suspicious Non-Browser Network Communication With Google API

Feb 22, 2025 · attack.command-and-control attack.t1102 ·

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

Cloudflared Tunnel Connections Cleanup

Nov 1, 2024 · attack.command-and-control attack.t1102 attack.t1090 attack.t1572 ·

Share on:

Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Cloudflared Tunnel Execution

Nov 1, 2024 · attack.command-and-control attack.t1102 attack.t1090 attack.t1572 ·

Share on:

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

New Connection Initiated To Potential Dead Drop Resolver Domain

Oct 25, 2024 · attack.command-and-control attack.t1102 attack.t1102.001 ·

Share on:

Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.

Communication To LocaltoNet Tunneling Service Initiated

Aug 12, 2024 · attack.command-and-control attack.t1572 attack.t1090 attack.t1102 ·

Share on:

Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Communication To LocaltoNet Tunneling Service Initiated - Linux

Aug 12, 2024 · attack.command-and-control attack.t1572 attack.t1090 attack.t1102 ·

Share on:

Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Communication To Ngrok Tunneling Service - Linux

Aug 12, 2024 · attack.exfiltration attack.command-and-control attack.t1567 attack.t1568.002 attack.t1572 attack.t1090 attack.t1102 attack.s0508 ·

Share on:

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Communication To Ngrok Tunneling Service Initiated

Aug 12, 2024 · attack.exfiltration attack.command-and-control attack.t1567 attack.t1568.002 attack.t1572 attack.t1090 attack.t1102 attack.s0508 ·

Share on:

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Network Connection Initiated To AzureWebsites.NET By Non-Browser Process

Aug 12, 2024 · attack.command-and-control attack.t1102 attack.t1102.001 ·

Share on:

Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

Potentially Suspicious Network Connection To Notion API

Aug 12, 2024 · attack.command-and-control attack.t1102 ·

Share on:

Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"

Suspicious Child Process Of Manage Engine ServiceDesk

Aug 12, 2024 · attack.command-and-control attack.t1102 ·

Share on:

Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service

Suspicious Non-Browser Network Communication With Telegram API

Aug 12, 2024 · attack.command-and-control attack.t1102 ·

Share on:

Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2