Yugoslavskiy Daniil
19 lines
562 B
YAML
19 lines
562 B
YAML
title: Suspicious reverse connect via HTTP proxy
|
|
status: experimental
|
|
description: Detects auth on proxy-server by machine account (aka SYSTEM)
|
|
author: Ilyas Ochkov, oscd.community
|
|
references:
|
|
- https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html
|
|
tags:
|
|
- attack.command_and_control
|
|
- attack.t1043
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection:
|
|
username|re: '\S+\$$'
|
|
condition: selection
|
|
falsepositives:
|
|
- Update OS or other softs which start by SYSTEM
|
|
- User account with $ in attribute "SamAccountName"
|