Techniques
Sample rules
Bpfdoor TCP Ports Redirect
- source: sigma
- technicques:
- t1562
- t1562.004
Description
All TCP traffic on particular port from attacker is routed to different port. ex. ‘/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 –dport 22 -j REDIRECT –to-ports 42392’ The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
Detection logic
cmd:
a0|endswith: iptables
a1: -t
a2: nat
type: EXECVE
condition: cmd and keywords
keywords:
- --to-ports 42
- --to-ports 43