Techniques
Sample rules
PUA - Chisel Tunneling Tool Execution
- source: sigma
- technicques:
- t1090
- t1090.001
Description
Detects usage of the Chisel tunneling tool via the commandline arguments
Detection logic
condition: selection_img or all of selection_param*
selection_img:
Image|endswith: \chisel.exe
selection_param1:
CommandLine|contains:
- 'exe client '
- 'exe server '
selection_param2:
CommandLine|contains:
- -socks5
- -reverse
- ' r:'
- ':127.0.0.1:'
- '-tls-skip-verify '
- :socks