heroui logo

Command and Control Detection

Anvilogic Forge

View Source
Summary
This detection rule identifies potential command and control (C2) activity by monitoring for network events associated with known malicious sources, such as suspicious IP addresses and domains. It specifically looks for events generated by processes that communicate over application and non-application layer protocols. The rule is applicable to environments where Windows event logs are generated and contains specific references to threat actors such as APT29 and APT32, as well as software tools like Alchimist and Remcos RAT which are known for their command and control capabilities. The rule leverages Splunk logic to filter and query for specific event codes (like EventCode=5156) indicative of network connections being established, allowing analysts to correlate these connections with known malicious indicators.
Categories
  • Endpoint
Data Sources
  • Windows Registry
  • Network Traffic
  • Process
  • Application Log
ATT&CK Techniques
  • T1071.001
  • T1095
Created: 2024-02-09