attack.t1573

Kalambur Backdoor Curl TOR SOCKS Proxy Execution

Feb 17, 2025 · attack.command-and-control attack.t1090 attack.t1573 attack.t1071.001 attack.t1059.001 attack.s0183 detection.emerging-threats ·

Share on:

Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.

Potential Pikabot C2 Activity

Dec 1, 2024 · attack.command-and-control attack.t1573 detection.emerging-threats ·

Share on:

Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.

Activity from Anonymous IP Addresses

Aug 12, 2024 · attack.command-and-control attack.t1573 ·

Share on:

Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.

Activity from Infrequent Country

Aug 12, 2024 · attack.command-and-control attack.t1573 ·

Share on:

Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.

Activity from Suspicious IP Addresses

Aug 12, 2024 · attack.command-and-control attack.t1573 ·

Share on:

Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.

Suspicious SSL Connection

Aug 12, 2024 · attack.command-and-control attack.t1573 ·

Share on:

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.