forked from SigmaHQ/sigma
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge PR SigmaHQ#4580 from @deFr0ggy - Update VsCode/DevTunnels Commu…
…nication Related Rules new: DNS Query To Devtunnels Domain - Split rule based on b3e6418f-7c7a-4fad-993a-93b65027a9f1 new: Network Connection Initiated To DevTunnels Domain new: Network Connection Initiated To Visual Studio Code Tunnels Domain update: DNS Query To Visual Studio Code Tunnels Domain - Update the rule to only focus on DNS requests from Vscode tunnels and move the logic of Devtunnels to another rule. To ease FP management for users that leverage one but not the other. --------- Co-authored-by: nasbench <[email protected]> Co-authored-by: phantinuss <[email protected]>
- Loading branch information
3 people
authored
Nov 20, 2023
1 parent
1cc2a6c
commit e506e45
Showing
4 changed files
with
109 additions
and
8 deletions.
There are no files selected for viewing
32 changes: 32 additions & 0 deletions
32
rules/windows/dns_query/dns_query_win_devtunnels_communication.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| title: DNS Query To Devtunnels Domain | ||
| id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b | ||
| related: | ||
| - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels | ||
| type: similar | ||
| - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode | ||
| type: similar | ||
| - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode | ||
| type: similar | ||
| status: experimental | ||
| description: | | ||
| Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. | ||
| references: | ||
| - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 | ||
| - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security | ||
| - https://cydefops.com/devtunnels-unleashed | ||
| author: citron_ninja | ||
| date: 2023/10/25 | ||
| modified: 2023/11/20 | ||
| tags: | ||
| - attack.command_and_control | ||
| - attack.t1071.001 | ||
| logsource: | ||
| category: dns_query | ||
| product: windows | ||
| detection: | ||
| selection: | ||
| QueryName|endswith: '.devtunnels.ms' | ||
| condition: selection | ||
| falsepositives: | ||
| - Legitimate use of Devtunnels will also trigger this. | ||
| level: medium |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 32 additions & 0 deletions
32
rules/windows/network_connection/net_connection_win_devtunnel_connection.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| title: Network Connection Initiated To DevTunnels Domain | ||
| id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 | ||
| related: | ||
| - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode | ||
| type: similar | ||
| - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode | ||
| type: similar | ||
| - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels | ||
| type: similar | ||
| status: experimental | ||
| description: | | ||
| Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. | ||
| references: | ||
| - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 | ||
| - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security | ||
| - https://cydefops.com/devtunnels-unleashed | ||
| author: Kamran Saifullah | ||
| date: 2023/11/20 | ||
| tags: | ||
| - attack.exfiltration | ||
| - attack.t1567.001 | ||
| logsource: | ||
| category: network_connection | ||
| product: windows | ||
| detection: | ||
| selection: | ||
| Initiated: 'true' | ||
| DestinationHostname|endswith: '.devtunnels.ms' | ||
| condition: selection | ||
| falsepositives: | ||
| - Legitimate use of Devtunnels will also trigger this. | ||
| level: medium |
32 changes: 32 additions & 0 deletions
32
rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| title: Network Connection Initiated To Visual Studio Code Tunnels Domain | ||
| id: 4b657234-038e-4ad5-997c-4be42340bce4 | ||
| related: | ||
| - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels | ||
| type: similar | ||
| - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode | ||
| type: similar | ||
| - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels | ||
| type: similar | ||
| status: experimental | ||
| description: | | ||
| Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. | ||
| references: | ||
| - https://ipfyx.fr/post/visual-studio-code-tunnel/ | ||
| - https://badoption.eu/blog/2023/01/31/code_c2.html | ||
| - https://cydefops.com/vscode-data-exfiltration | ||
| author: Kamran Saifullah | ||
| date: 2023/11/20 | ||
| tags: | ||
| - attack.exfiltration | ||
| - attack.t1567.001 | ||
| logsource: | ||
| category: network_connection | ||
| product: windows | ||
| detection: | ||
| selection: | ||
| Initiated: 'true' | ||
| DestinationHostname|endswith: '.tunnels.api.visualstudio.com' | ||
| condition: selection | ||
| falsepositives: | ||
| - Legitimate use of Visual Studio Code tunnel will also trigger this. | ||
| level: medium |