Command And Control Detections

Name Data Source Technique Type Analytic Story Date
Splunk Protocol Impersonation Weak Encryption Configuration Splunk Protocol or Service Impersonation Hunting Splunk Vulnerabilities 2024-10-17
Detect web traffic to dynamic domain providers Web Protocols TTP Dynamic DNS 2024-10-17
DNS Query Requests Resolved by Unauthorized DNS Servers DNS TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-10-17
DNS record changed DNS TTP DNS Hijacking 2024-10-17
Any Powershell DownloadFile CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell Ingress Tool Transfer TTP Braodo Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, PXA Stealer, Phemedrone Stealer 2024-09-30
Any Powershell DownloadString CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell Ingress Tool Transfer TTP Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern 2024-09-30
BITSAdmin Download File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs Ingress Tool Transfer TTP BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land 2024-09-30
CertUtil Download With URLCache and Split Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP CISA AA22-277A, Compromised Windows Host, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell 2024-11-28
CertUtil Download With VerifyCtl and Split Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land 2024-11-28
Curl Download and Bash Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228 2024-11-28
Detect Certify Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Authentication Certificates Ingress Tool Transfer TTP Compromised Windows Host, Ingress Tool Transfer, Windows Certificate Services 2024-11-28
Detect Remote Access Software Usage File Sysmon EventID 11 Remote Access Software Anomaly CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Detect Remote Access Software Usage FileInfo CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Access Software Anomaly Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Detect Remote Access Software Usage Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Access Software Anomaly CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Download Files Using Telegram Sysmon EventID 15 Ingress Tool Transfer TTP Phemedrone Stealer, Snake Keylogger, XMRig 2024-09-30
Linux Curl Upload File Sysmon for Linux EventID 1 Ingress Tool Transfer TTP Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land 2024-09-30
Linux Ingress Tool Transfer Hunting Sysmon for Linux EventID 1 Ingress Tool Transfer Hunting Ingress Tool Transfer, Linux Living Off The Land 2024-10-17
Linux Ingress Tool Transfer with Curl Sysmon for Linux EventID 1 Ingress Tool Transfer Anomaly Ingress Tool Transfer, Linux Living Off The Land 2024-09-30
Linux Ngrok Reverse Proxy Usage Sysmon for Linux EventID 1 Protocol Tunneling Proxy Web Service Anomaly Reverse Network Proxy 2024-09-30
Linux Proxy Socks Curl Sysmon for Linux EventID 1 Proxy Non-Application Layer Protocol TTP Ingress Tool Transfer, Linux Living Off The Land 2024-09-30
Living Off The Land Detection Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services Correlation Living Off The Land 2024-09-30
Log4Shell CVE-2021-44228 Exploitation Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services Correlation CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
LOLBAS With Network Traffic Sysmon EventID 3 Ingress Tool Transfer Exfiltration Over Web Service System Binary Proxy Execution TTP Living Off The Land 2024-09-30
PowerShell Script Block With URL Chain Powershell Script Block Logging 4104 PowerShell Ingress Tool Transfer TTP Malicious PowerShell 2024-09-30
PowerShell WebRequest Using Memory Stream Powershell Script Block Logging 4104 PowerShell Ingress Tool Transfer Fileless Storage TTP Malicious PowerShell, MoonPeak 2024-09-30
Suspicious Curl Network Connection CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow 2024-10-17
Wget Download and Bash Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, Ingress Tool Transfer, Log4Shell CVE-2021-44228 2024-12-03
Windows Abused Web Services Sysmon EventID 22 Web Service TTP CISA AA24-241A, NjRAT 2024-09-30
Windows App Layer Protocol Qakbot NamedPipe Sysmon EventID 17, Sysmon EventID 18 Application Layer Protocol Anomaly Qakbot 2024-09-30
Windows App Layer Protocol Wermgr Connect To NamedPipe Sysmon EventID 17, Sysmon EventID 18 Application Layer Protocol Anomaly Qakbot 2024-09-30
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Sysmon EventID 17, Sysmon EventID 18 Application Layer Protocol TTP Azorult 2024-09-30
Windows Curl Download to Suspicious Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, Forest Blizzard, IcedID, Ingress Tool Transfer 2024-11-28
Windows Curl Upload to Remote Destination CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, Ingress Tool Transfer 2024-11-28
Windows File Transfer Protocol In Non-Common Process Path Sysmon EventID 3 Mail Protocols Application Layer Protocol Anomaly AgentTesla, Snake Keylogger 2024-09-30
Windows Ingress Tool Transfer Using Explorer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer Anomaly DarkCrystal RAT 2024-09-30
Windows Ldifde Directory Object Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer Domain Groups TTP Volt Typhoon 2024-09-30
Windows Mail Protocol In Non-Common Process Path Sysmon EventID 3 Mail Protocols Application Layer Protocol Anomaly AgentTesla 2024-09-30
Windows Multi hop Proxy TOR Website Query Sysmon EventID 22 Mail Protocols Application Layer Protocol Anomaly AgentTesla 2024-09-30
Windows Ngrok Reverse Proxy Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Protocol Tunneling Proxy Web Service Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2024-09-30
Windows Protocol Tunneling with Plink CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Protocol Tunneling SSH TTP CISA AA22-257A 2024-09-30
Windows Proxy Via Netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Internal Proxy Proxy Anomaly Volt Typhoon 2024-09-30
Windows Proxy Via Registry Sysmon EventID 12, Sysmon EventID 13 Internal Proxy Proxy Anomaly Volt Typhoon 2024-09-30
Windows Remote Access Software BRC4 Loaded Dll Sysmon EventID 7 Remote Access Software OS Credential Dumping Anomaly Brute Ratel C4 2024-09-30
Windows Remote Access Software Hunt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Access Software Hunting Command And Control, Insider Threat, Ransomware 2024-10-17
Windows Remote Access Software RMS Registry Sysmon EventID 12, Sysmon EventID 13 Remote Access Software TTP Azorult 2024-09-30
Windows SQL Spawning CertUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Flax Typhoon 2024-10-17
WinRAR Spawning Shell Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831 2024-11-28
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Anomaly Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-10-17
Detect Large Outbound ICMP Packets Palo Alto Network Traffic Non-Application Layer Protocol TTP Command And Control 2024-11-06
Detect Outbound SMB Traffic File Transfer Protocols Application Layer Protocol TTP DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group 2024-10-16
Detect Remote Access Software Usage DNS Sysmon EventID 22 Remote Access Software Anomaly CISA AA24-241A, Command And Control, Insider Threat, Ransomware 2024-09-30
Detect Remote Access Software Usage Traffic Palo Alto Network Traffic Remote Access Software Anomaly Command And Control, Insider Threat, Ransomware 2024-09-30
Detect suspicious DNS TXT records using pretrained model in DSDL Domain Generation Algorithms Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-10-17
DNS Query Length Outliers - MLTK DNS Application Layer Protocol Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2024-10-17
Excessive DNS Failures DNS Application Layer Protocol Anomaly Command And Control, Suspicious DNS Traffic 2024-10-17
Ngrok Reverse Proxy on Network Sysmon EventID 22 Protocol Tunneling Proxy Web Service Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2024-09-30
SSL Certificates with Punycode Encrypted Channel Hunting OpenSSL CVE-2022-3602 2024-10-17
TOR Traffic Palo Alto Network Traffic Proxy Multi-hop Proxy TTP Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware 2024-09-30
Zeek x509 Certificate with Punycode Encrypted Channel Hunting OpenSSL CVE-2022-3602 2024-10-17
Detect Remote Access Software Usage URL Palo Alto Network Threat Remote Access Software Anomaly CISA AA24-241A, Command And Control, Insider Threat, Ransomware 2024-09-30
Juniper Networks Remote Code Execution Exploit Detection Suricata Exploit Public-Facing Application Ingress Tool Transfer Command and Scripting Interpreter TTP Juniper JunOS Remote Code Execution 2024-09-30