Find sigma rule

Attack: Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

MITRE

Tactic

exfiltration

technique

T1041

Test : C2 Data Exfiltration

OS

windows

Description:

Exfiltrates a file present on the victim machine to the C2 server.

Executor

powershell

Sigma Rule

posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
posh_ps_script_with_upload_capabilities.yml (id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb)
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test