security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[tuning] LLM DNS queries (#5709)

Browse Source 
* Update command_and_control_common_llm_endpoint.toml

* Update command_and_control_common_llm_endpoint.toml

* Update command_and_control_common_llm_endpoint.toml

* Apply suggestion from @w0rk3r

* Update command_and_control_common_llm_endpoint.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Samirbous
2026-02-13 13:54:52 +00:00
committed by GitHub
parent 60606ecd4e
commit 41a8256aa3
1 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/command_and_control_common_llm_endpoint.toml → rules/cross-platform/command_and_control_common_llm_endpoint.toml
+13 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2025/09/01"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/09/05"
updated_date = "2026/02/10"
[rule]
@@ -58,6 +58,7 @@ severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Resources: Investigation Guide",
@@ -70,16 +71,19 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
network where host.os.type == "windows" and dns.question.name != null and
network where host.os.type in ("macos", "windows") and dns.question.name != null and
(
process.name : ("MSBuild.exe", "mshta.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "msiexec.exe", "rundll32.exe",
"bitsadmin.exe", "InstallUtil.exe", "RegAsm.exe", "vbc.exe", "RegSvcs.exe", "python.exe", "regsvr32.exe", "dllhost.exe",
"node.exe", "javaw.exe", "java.exe", "*.pif", "*.com") or
"bitsadmin.exe", "InstallUtil.exe", "RegAsm.exe", "vbc.exe", "RegSvcs.exe", "regsvr32.exe", "dllhost.exe",
"node.exe", "javaw.exe", "java.exe", "*.pif", "*.com", "python*", "osascript", "Script Editor", "curl", "curl.exe", "deno",
"deno.exe", "node", "bun", "bun.exe") or
?process.code_signature.subject_name : ("AutoIt Consulting Ltd", "OpenJS Foundation", "Python Software Foundation") or
(
process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe") and
process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe", "/Users/Shared/*", "/Library/WebServer/*",
"/Users/*/Library/WebServer/*", "/Library/Graphics/*", "/Users/*/Library/Graphics/*", "/Library/Fonts/*",
"/Users/*/Library/Fonts/*", "/private/var/root/Library/HTTPStorages/*", "/tmp/*", "/var/tmp/*", "/private/tmp/*") and
(?process.code_signature.trusted == false or ?process.code_signature.exists == false)
)
) and
@@ -122,7 +126,10 @@ network where host.os.type == "windows" and dns.question.name != null and
"perplexity.ai",
"poe.com",
"chat.forefront.ai",
"chat.deepseek.com"
"chat.deepseek.com",
// OpenClaw
"openclaw.ai"
) and
not process.executable : (