frack113
38 lines
1.1 KiB
YAML
38 lines
1.1 KiB
YAML
title: Chisel Tunneling Tool Usage
|
|
id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
|
|
related:
|
|
- id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
|
|
type: similar
|
|
status: experimental
|
|
description: Detects usage of the Chisel tunneling tool via the commandline arguments
|
|
references:
|
|
- https://github.com/jpillora/chisel/
|
|
- https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
|
|
author: Florian Roth
|
|
date: 2022/09/13
|
|
tags:
|
|
- attack.command_and_control
|
|
- attack.t1090.001
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
Image|endswith: '\chisel.exe'
|
|
selection_param1:
|
|
CommandLine|contains:
|
|
- 'exe client '
|
|
- 'exe server '
|
|
selection_param2:
|
|
CommandLine|contains:
|
|
- ' --socks5'
|
|
- ' --reverse'
|
|
- ' r:'
|
|
- ':127.0.0.1:'
|
|
- ' --tls-skip-verify '
|
|
- ':socks'
|
|
condition: selection_img or all of selection_param*
|
|
falsepositives:
|
|
- Some false positives may occure with other tools with similar commandlines
|
|
level: high
|