2022-09-13 13:38:10 +02:00
|
|
|
title: Chisel Tunneling Tool Usage
|
|
|
|
|
id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
|
|
|
|
|
related:
|
|
|
|
|
- id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
|
|
|
|
|
type: similar
|
|
|
|
|
status: experimental
|
|
|
|
|
description: Detects usage of the Chisel tunneling tool via the commandline arguments
|
|
|
|
|
references:
|
|
|
|
|
- https://github.com/jpillora/chisel/
|
2022-09-13 13:38:32 +02:00
|
|
|
- https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
|
2022-12-07 02:26:21 +01:00
|
|
|
- https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
|
2022-10-28 15:06:36 +02:00
|
|
|
author: Florian Roth
|
2022-09-13 13:38:10 +02:00
|
|
|
date: 2022/09/13
|
2022-12-07 02:26:21 +01:00
|
|
|
modified: 2022/12/07
|
2022-09-13 13:38:10 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.command_and_control
|
|
|
|
|
- attack.t1090.001
|
|
|
|
|
logsource:
|
|
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
|
|
|
|
detection:
|
|
|
|
|
selection_img:
|
|
|
|
|
Image|endswith: '\chisel.exe'
|
|
|
|
|
selection_param1:
|
2022-10-28 15:06:36 +02:00
|
|
|
CommandLine|contains:
|
2022-09-13 13:38:10 +02:00
|
|
|
- 'exe client '
|
|
|
|
|
- 'exe server '
|
|
|
|
|
selection_param2:
|
|
|
|
|
CommandLine|contains:
|
2022-12-07 02:26:21 +01:00
|
|
|
- '-socks5'
|
|
|
|
|
- '-reverse'
|
2022-09-13 13:38:10 +02:00
|
|
|
- ' r:'
|
|
|
|
|
- ':127.0.0.1:'
|
2022-12-07 02:26:21 +01:00
|
|
|
- '-tls-skip-verify '
|
2022-09-13 13:38:10 +02:00
|
|
|
- ':socks'
|
|
|
|
|
condition: selection_img or all of selection_param*
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Some false positives may occure with other tools with similar commandlines
|
|
|
|
|
level: high
|
