Analytics Story: Tuoni
Description
Tuoni is a sophisticated, cross-platform red teaming framework designed to enhance cybersecurity education and training through large-scale cyber defense exercises.
Why it matters
This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Tuoni. A new wave of cyberattacks has emerged using the Tuoni C2 framework, a sophisticated tool that allows threat actors to deploy malicious payloads directly into system memory. This technique helps attackers avoid detection by traditional security solutions that rely on scanning files stored on disk. The Tuoni framework has gained attention in the cybersecurity community for its modular design and ability to perform multiple attack variations without leaving significant traces on compromised systems.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4703 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Sysmon EventID 18 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 17 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Cisco Network Visibility Module Flow Data |  Network |
cisco:nvm:flowdata |
not_applicable |
| Windows Event Log System 7045 | Windows |
XmlWinEventLog |
XmlWinEventLog:System |
| Suricata | Other | suricata |
not_applicable |
References
- https://www.infosecurity-magazine.com/news/ai-tuoni-framework-targets-us-real/
- https://github.com/shell-dot/tuoni
- https://cybersecuritynews.com/hackers-using-leverage-tuoni-c2-framework-tool/
Source: GitHub | Version: 2