Analytics Story: Tuoni
Description
Tuoni is a sophisticated, cross-platform red teaming framework designed to enhance cybersecurity education and training through large-scale cyber defense exercises.
Why it matters
This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Tuoni. A new wave of cyberattacks has emerged using the Tuoni C2 framework, a sophisticated tool that allows threat actors to deploy malicious payloads directly into system memory. This technique helps attackers avoid detection by traditional security solutions that rely on scanning files stored on disk. The Tuoni framework has gained attention in the cybersecurity community for its modular design and ability to perform multiple attack variations without leaving significant traces on compromised systems.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Network Visibility Module Flow Data |  Network |
cisco:nvm:flowdata |
not_applicable |
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 17 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 18 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Windows Event Log Security 4703 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Windows Event Log System 7045 | Windows |
XmlWinEventLog |
XmlWinEventLog:System |
References
- https://github.com/shell-dot/tuoni
- https://www.infosecurity-magazine.com/news/ai-tuoni-framework-targets-us-real/
- https://cybersecuritynews.com/hackers-using-leverage-tuoni-c2-framework-tool/
Source: GitHub | Version: 1