Suspicious Typical Malware Back Connect PortsMay 2, 2023 · attack.persistence attack.command_and_control attack.t1571 ·
Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
Testing Usage of Uncommonly Used PortJan 27, 2023 · attack.command_and_control attack.t1571 ·
Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
Suspicious DNS Z Flag Bit SetNov 29, 2022 · attack.t1095 attack.t1571 attack.command_and_control ·
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'