legitimate use of btunnels will also trigger this.

t1567
t1567.001
windows
sigma

Techniques

t1567
t1567.001

Sample rules

Network Connection Initiated To BTunnels Domains

source: sigma
technicques:
- t1567
- t1567.001

Description

Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Detection logic

condition: selection
selection:
  DestinationHostname|endswith: .btunnel.co.in
  Initiated: 'true'