Network Connection Initiated To BTunnels Domains

    Monday, September 16, 2024 In: Threat Research Print

    Date: 09/16/2024

    Severity: Medium

    Summary

    Monitors network connections to BTunnels domains are initiated by a system process. Attackers might exploit this capability to set up a reverse shell or maintain persistence on the machine.

    Indicators of Compromise (IOC) List

    Initiated

    'true'

    DestinationHostname

    '.btunnel.co.in'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((resourcename = "Sysmon"  AND eventtype = "3"  ) AND initiated like "true"  ) AND destinationhostname like ".btunnel.co.in"

    Detection Query 2

    (technologygroup = "EDR" AND initiated like "true"  ) AND destinationhostname like ".btunnel.co.in"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_btunnels.yml 


    Tags

    MalwareSigmaExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.