← Library
kqlElastic-2.0from elastic/detection-rules

Halfbaked Command and Control Beacon

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1071T1071.001T1568T1568.002
Rule sourcerules/network/command_and_control_halfbaked_beacon.toml
(data_stream.dataset: (network_traffic.tls OR network_traffic.http) OR
  (event.category: (network OR network_traffic) AND network.protocol: http)) AND
  network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND
  destination.port:(53 OR 80 OR 8080 OR 443)