LoFP / unlikely, because no sane admin pings ip addresses in a hexadecimal form

Techniques

• t1027
• t1140

Sample rules

Ping Hex IP

• source: sigma
• technicques:
  • t1027
  • t1140

Description

Detects a ping command that uses a hex encoded IP address

Detection logic

condition: selection
selection:
  CommandLine|contains: 0x
  Image|endswith: \ping.exe