feat(threat-hunting): chisel proxy detection

2025-06-30 08:44:57 +00:00 · 2025-06-30 08:44:57 +00:00 · 1bde8ee4c6
parent 61e552b0ea
commit 1bde8ee4c6
1 changed files with 3 additions and 3 deletions
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@ -2,7 +2,7 @@
 title: Splunk Threat Hunting
 layout: page
 date: 2025-01-15
-updated: 2025-06-01
+updated: 2025-06-30
 ---

 Some searches utilise [cmdb_ci_list_lookup](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow) lookup.
@ -1531,11 +1531,11 @@ SPL:

 ## Unauthorised Reverse Proxy Tunnel

-References: [1](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c14)
+References: [1](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c14), [chisel](https://unit42.paloaltonetworks.com/cybercriminals-attack-financial-sector-across-africa/#section2SubHeading4)
 SPL:

 ```spl
-| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.process_name IN ("ngrok.exe", "cloudflared.exe", "tailscale*.exe") BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.process_name IN ("ngrok.exe", "cloudflared.exe", "tailscale*.exe", "chisel*") BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s
 | rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
 | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S %z")
 | lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email