Command And Control Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Splunk Protocol Impersonation Weak Encryption Configuration	Splunk	Protocol or Service Impersonation	Hunting	Splunk Vulnerabilities	2025-01-21
Microsoft Intune Device Health Scripts	Azure Monitor Activity	Software Deployment Tools Cloud Services Indirect Command Execution Ingress Tool Transfer	Hunting	Azure Active Directory Account Takeover	2025-01-06
Microsoft Intune Mobile Apps	Azure Monitor Activity	Software Deployment Tools Cloud Services Indirect Command Execution Ingress Tool Transfer	Hunting	Azure Active Directory Account Takeover	2025-01-07
Any Powershell DownloadFile	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	PowerShell Ingress Tool Transfer	TTP	Braodo Stealer, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, Data Destruction, Earth Estries, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, PXA Stealer, Phemedrone Stealer	2025-02-24
Any Powershell DownloadString	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	PowerShell Ingress Tool Transfer	TTP	Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern	2025-02-10
BITSAdmin Download File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	BITS Jobs Ingress Tool Transfer	TTP	BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land	2024-11-13
CertUtil Download With URLCache and Split Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer	TTP	CISA AA22-277A, Compromised Windows Host, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell	2024-12-10
CertUtil Download With VerifyCtl and Split Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer	TTP	Compromised Windows Host, DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land	2024-12-10
Curl Download and Bash Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer	TTP	Compromised Windows Host, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228	2024-12-10
Detect Certify Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Steal or Forge Authentication Certificates Ingress Tool Transfer	TTP	Compromised Windows Host, Ingress Tool Transfer, Windows Certificate Services	2024-12-10
Detect Remote Access Software Usage File	Sysmon EventID 11	Remote Access Software	Anomaly	CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software	2024-11-13
Detect Remote Access Software Usage FileInfo	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote Access Software	Anomaly	Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software	2024-11-13
Detect Remote Access Software Usage Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote Access Software	Anomaly	CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software	2024-11-13
Detect Remote Access Software Usage Registry	Sysmon EventID 12, Sysmon EventID 13	Remote Access Software	Anomaly	CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software	2025-01-10
Download Files Using Telegram	Sysmon EventID 15	Ingress Tool Transfer	TTP	Crypto Stealer, Phemedrone Stealer, Snake Keylogger, XMRig	2024-11-13
Linux Curl Upload File	Sysmon for Linux EventID 1	Ingress Tool Transfer	TTP	Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land	2024-11-13
Linux Ingress Tool Transfer Hunting	Sysmon for Linux EventID 1	Ingress Tool Transfer	Hunting	Ingress Tool Transfer, Linux Living Off The Land, XorDDos	2024-12-19
Linux Ingress Tool Transfer with Curl	Sysmon for Linux EventID 1	Ingress Tool Transfer	Anomaly	Ingress Tool Transfer, Linux Living Off The Land, XorDDos	2024-12-19
Linux Ngrok Reverse Proxy Usage	Sysmon for Linux EventID 1	Protocol Tunneling Proxy Web Service	Anomaly	Reverse Network Proxy	2024-11-13
Linux Proxy Socks Curl	Sysmon for Linux EventID 1	Proxy Non-Application Layer Protocol	TTP	Ingress Tool Transfer, Linux Living Off The Land	2025-02-19
Living Off The Land Detection		Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services	Correlation	Living Off The Land	2024-11-13
Log4Shell CVE-2021-44228 Exploitation		Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services	Correlation	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-11-13
LOLBAS With Network Traffic	Sysmon EventID 3	Ingress Tool Transfer Exfiltration Over Web Service System Binary Proxy Execution	TTP	Living Off The Land	2024-12-16
Potential Telegram API Request Via CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Bidirectional Communication Exfiltration Over C2 Channel	Anomaly	XMRig	2025-02-19
PowerShell Script Block With URL Chain	Powershell Script Block Logging 4104	PowerShell Ingress Tool Transfer	TTP	Malicious PowerShell	2024-11-13
PowerShell WebRequest Using Memory Stream	Powershell Script Block Logging 4104	PowerShell Ingress Tool Transfer Fileless Storage	TTP	Malicious PowerShell, MoonPeak	2024-11-13
Suspicious Curl Network Connection	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer	TTP	Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow	2024-11-13
Wget Download and Bash Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer	TTP	Compromised Windows Host, Ingress Tool Transfer, Log4Shell CVE-2021-44228	2024-12-10
Windows Abused Web Services	Sysmon EventID 22	Web Service	TTP	CISA AA24-241A, NjRAT	2024-11-13
Windows App Layer Protocol Qakbot NamedPipe	Sysmon EventID 17, Sysmon EventID 18	Application Layer Protocol	Anomaly	Qakbot	2024-11-13
Windows App Layer Protocol Wermgr Connect To NamedPipe	Sysmon EventID 17, Sysmon EventID 18	Application Layer Protocol	Anomaly	Qakbot	2024-11-13
Windows Application Layer Protocol RMS Radmin Tool Namedpipe	Sysmon EventID 17, Sysmon EventID 18	Application Layer Protocol	TTP	Azorult	2024-11-13
Windows CertUtil Download With URL Argument	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer	TTP	Ingress Tool Transfer, Living Off The Land	2025-01-07
Windows Curl Download to Suspicious Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer	TTP	Black Basta Ransomware, China-Nexus Threat Activity, Compromised Windows Host, Earth Estries, Forest Blizzard, IcedID, Ingress Tool Transfer	2025-03-03
Windows Curl Upload to Remote Destination	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer	TTP	Compromised Windows Host, Ingress Tool Transfer	2024-12-10
Windows DNS Query Request by Telegram Bot API	Sysmon EventID 22	DNS Bidirectional Communication	Anomaly	Crypto Stealer	2025-02-10
Windows File Transfer Protocol In Non-Common Process Path	Sysmon EventID 3	Mail Protocols	Anomaly	AgentTesla, Snake Keylogger	2025-02-10
Windows Ingress Tool Transfer Using Explorer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer	Anomaly	DarkCrystal RAT	2024-11-13
Windows Ldifde Directory Object Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer Domain Groups	TTP	Volt Typhoon	2024-11-13
Windows Mail Protocol In Non-Common Process Path	Sysmon EventID 3	Mail Protocols	Anomaly	AgentTesla	2025-02-10
Windows Multi hop Proxy TOR Website Query	Sysmon EventID 22	Mail Protocols	Anomaly	AgentTesla	2025-02-10
Windows Ngrok Reverse Proxy Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Protocol Tunneling Proxy Web Service	Anomaly	CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy	2024-11-13
Windows Protocol Tunneling with Plink	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Protocol Tunneling SSH	TTP	CISA AA22-257A	2024-11-13
Windows Proxy Via Netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Internal Proxy	Anomaly	Volt Typhoon	2025-02-10
Windows Proxy Via Registry	Sysmon EventID 13	Internal Proxy	Anomaly	Volt Typhoon	2025-02-10
Windows Remote Access Software BRC4 Loaded Dll	Sysmon EventID 7	Remote Access Software OS Credential Dumping	Anomaly	Brute Ratel C4	2024-11-13
Windows Remote Access Software Hunt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote Access Software	Hunting	Command And Control, Insider Threat, Ransomware	2024-11-13
Windows Remote Access Software RMS Registry	Sysmon EventID 13	Remote Access Software	TTP	Azorult	2024-11-13
Windows SQL Spawning CertUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer	TTP	Flax Typhoon, SQL Server Abuse	2025-02-26
WinRAR Spawning Shell Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer	TTP	Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831	2024-12-10
Detect DGA domains using pretrained model in DSDL		Domain Generation Algorithms	Anomaly	Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic	2024-11-15
Detect Large Outbound ICMP Packets	Palo Alto Network Traffic	Non-Application Layer Protocol	TTP	Backdoor Pingpong, China-Nexus Threat Activity, Command And Control	2025-02-24
Detect Outbound SMB Traffic		File Transfer Protocols	TTP	DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group	2025-02-10
Detect Remote Access Software Usage DNS	Sysmon EventID 22	Remote Access Software	Anomaly	CISA AA24-241A, Command And Control, Insider Threat, Ransomware, Remote Monitoring and Management Software	2024-11-15
Detect Remote Access Software Usage Traffic	Palo Alto Network Traffic	Remote Access Software	Anomaly	Command And Control, Insider Threat, Ransomware, Remote Monitoring and Management Software	2024-11-15
Detect suspicious DNS TXT records using pretrained model in DSDL		Domain Generation Algorithms	Anomaly	Command And Control, DNS Hijacking, Suspicious DNS Traffic	2024-11-15
DNS Query Length Outliers - MLTK		DNS	Anomaly	Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic	2025-02-10
Excessive DNS Failures		DNS	Anomaly	Command And Control, Suspicious DNS Traffic	2025-02-10
Ngrok Reverse Proxy on Network	Sysmon EventID 22	Protocol Tunneling Proxy Web Service	Anomaly	CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy	2024-11-15
SSL Certificates with Punycode		Encrypted Channel	Hunting	OpenSSL CVE-2022-3602	2024-11-15
TOR Traffic	Palo Alto Network Traffic	Multi-hop Proxy	TTP	Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware	2025-02-10
Zeek x509 Certificate with Punycode		Encrypted Channel	Hunting	OpenSSL CVE-2022-3602	2024-11-15
Detect Remote Access Software Usage URL	Palo Alto Network Threat	Remote Access Software	Anomaly	CISA AA24-241A, Command And Control, Insider Threat, Ransomware, Remote Monitoring and Management Software	2024-11-15
Juniper Networks Remote Code Execution Exploit Detection	Suricata	Exploit Public-Facing Application Ingress Tool Transfer Command and Scripting Interpreter	TTP	Juniper JunOS Remote Code Execution	2024-11-15