sigma icon indicating copy to clipboard operation
sigma copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Qemu c2 tunnel

Open faisalusuf opened this issue 11 months ago • 0 comments

Summary of the Pull Request

This rule detects an unusual tunling method reported by Kaspersky where Qemu binaries were used for C2 communication.

Reference

  • https://thehackernews.com/2024/03/cybercriminals-utilize-qemu-emulator-as.html
  • https://securelist.com/network-tunneling-with-qemu/111803/

Changelog

New rule

Example Log Event

https://securelist.com/network-tunneling-with-qemu/111803/

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

faisalusuf avatar Mar 21 '24 11:03 faisalusuf