security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] SUNBURST Command and Control Activity (#2232)

Browse Source 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
This commit is contained in:
TotalKnob
2022-08-26 18:11:22 +02:00
committed by GitHub
parent d37eac8d9d
commit 97e42d01d8
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/command_and_control_sunburst_c2_activity_detected.toml
+7 -3
View File
@@ -94,9 +94,13 @@ network where event.type == "protocol" and network.protocol == "http" and
"SolarWinds.BusinessLayerHostx64.exe",
"SolarWinds.Collector.Service.exe",
"SolarwindsDiagnostics.exe") and
(http.request.body.content : "*/swip/Upload.ashx*" and http.request.body.content : ("POST*", "PUT*")) or
(http.request.body.content : ("*/swip/SystemDescription*", "*/swip/Events*") and http.request.body.content : ("GET*", "HEAD*")) and
not http.request.body.content : "*solarwinds.com*"
(
(
(http.request.body.content : "*/swip/Upload.ashx*" and http.request.body.content : ("POST*", "PUT*")) or
(http.request.body.content : ("*/swip/SystemDescription*", "*/swip/Events*") and http.request.body.content : ("GET*", "HEAD*"))
) and
not http.request.body.content : "*solarwinds.com*"
)
'''