security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
Files
master
blue-team-tools/deprecated/windows/net_connection_win_binary_github_com.yml
T
Qasim Qlf 032d662cef Merge PR #4754 from @qasimqlf - Update ATT&CK mapping for multiple rules 
chore: update ATT&CK mapping for multiple rules
2024-03-06 17:33:49 +01:00

32 lines
1.0 KiB
YAML
Raw Permalink Blame History

title: Microsoft Binary Github Communication
id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
status: deprecated
description: Detects an executable in the Windows folder accessing github.com
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
author: Michael Haag (idea), Florian Roth (Nextron Systems)
date: 2017/08/24
modified: 2023/04/18
tags:
- attack.command_and_control
- attack.t1105
- attack.exfiltration
- attack.t1567.001
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- '.github.com'
- '.githubusercontent.com'
Image|startswith: 'C:\Windows\'
condition: selection
falsepositives:
- Unknown
- '@subTee in your network'
level: high
Reference in New Issue View Git Blame Copy Permalink