Network Connection Initiated To DevTunnels Domain

Rule Info

Name
Network Connection Initiated To DevTunnels Domain
Author
Kamran Saifullah
Description
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Reference
https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
Date
2023-11-20 00:00:00
Modified
None
Id
9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
Tags
attack.exfiltration attack.t1567.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5027 from @nasbench - Promote older rules status from `experimental` to `test`
2024-10-01
08c52c367
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Florian Roth
Merge PR #4866 from @Neo23x0 - Update network connection rules
2024-05-31
2bf502fb9
Nasreddine Bencherchali
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12
2acebc90f
Kamran Saifullah - Frog Man
Merge PR #4580 from @deFr0ggy - Update VsCode/DevTunnels Communication Related Rules
2023-11-20
e506e4574
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022