security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
ae6fcefbcdfcbf03e2981823e91754d5ca556e5d
blue-team-tools/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml
T
Thomas Patzke 924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
2019-12-19 23:56:36 +01:00

20 lines
603 B
YAML
Raw Blame History

title: Suspicious reverse connect via HTTP proxy
id: ef24fb9e-add2-4607-abd2-04ca3e9a590f
status: experimental
description: Detects auth on proxy-server by machine account (aka SYSTEM)
author: Ilyas Ochkov, oscd.community
references:
- https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html
tags:
- attack.command_and_control
- attack.t1043
logsource:
category: proxy
detection:
selection:
username|re: '\S+\$$'
condition: selection
falsepositives:
- Update OS or other softs which start by SYSTEM
- User account with $ in attribute "SamAccountName"
Reference in New Issue View Git Blame Copy Permalink