Potentially Suspicious Usage Of Qemu - Remote Connection To External IP

Rule Info

Name
Potentially Suspicious Usage Of Qemu - Remote Connection To External IP
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects potentially suspicious execution of the Qemu utility in a Windows environment connecting to external IP address. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
Reference
https://securelist.com/network-tunneling-with-qemu/111803/
Date
2024-06-04 00:00:00
Modified
None
Id
e16d848f-3de8-4f2d-bbbb-f89a101f954f
Tags
attack.command_and_control attack.t1090 attack.t1572
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022