Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This rule identifies requests made to atypical URLs, as malware can exploit IP addresses for communication with command-and-control (C2) servers. The detection identifies network requests that contain either plain text or Base64 encoded IP addresses. Alerts are triggered when a private IP address is observed as plain text or base64 encoded in an outbound web request. This method of concealing the IP address was observed in the utilization of the RunningRAT tool by POLONIUM.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Web Session Essentials |
| ID | e3a7722a-e099-45a9-9afb-6618e8f05405 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Exfiltration, CommandAndControl |
| Techniques | T1041, T1071.001, T1001 |
| Source | View on GitHub |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊