This section displays SIGMA rules belonging to category Network. It updates itself automatically when new commits are available in quasarops.
| Title | Equation Group C2 Communication |
|---|---|
| rule_category | network |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/network/net_apt_equationgroup_c2.yml |
| author | Florian Roth |
| status | |
| date | 2017/04/15 |
| description | Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools |
| tags | attack.command_and_control attack.g0020 |
| Title | Possible DNS Tunneling |
|---|---|
| rule_category | network |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/network/net_dns_c2_detection.yml |
| author | Patrick Bareiss |
| status | experimental |
| date | 2019/04/07 |
| description | Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data. |
| tags | attack.t1043 |
| Title | Cobalt Strike DNS Beaconing |
|---|---|
| rule_category | network |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/05/10 |
| description | Detects suspicious DNS queries known from Cobalt Strike beacons |
| tags |
| Title | Suspicious DNS Query with B64 Encoded String |
|---|---|
| rule_category | network |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/network/net_susp_dns_b64_queries.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/05/10 |
| description | Detects suspicious DNS queries using base64 encoding |
| tags |
| Title | DNS TXT Answer with Possible Execution Strings |
|---|---|
| rule_category | network |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/network/net_susp_dns_txt_exec_strings.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/08/08 |
| description | Detects strings used in command execution in DNS TXT Answer |
| tags | attack.t1071 |
| Title | Network Scans |
|---|---|
| rule_category | network |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/network/net_susp_network_scan.yml |
| author | Thomas Patzke |
| status | |
| date | 2017/02/19 |
| description | Detects many failed connection attempts to different ports or hosts |
| tags |
| Title | Telegram Bot API Request |
|---|---|
| rule_category | network |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/network/net_susp_telegram_api.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/06/05 |
| description | Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind |
| tags |
| Title | Kerberos Network Traffic RC4 Ticket Encryption |
|---|---|
| rule_category | network |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/network/zeek_susp_kerberos_rc4.yml |
| author | |
| status | experimental |
| date | 2020/02/12 |
| description | Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting |
| tags | attack.credential_access attack.t1208 |