Detection rules › Sigma
Obfuscated IP Via CLI
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: selection_img
or:
Image|endswith: '\arp.exe'
Image|endswith: '\ping.exe'
Stage 2: 1 of selection_ip_1
or:
CommandLine|contains: ' 0x'
CommandLine|contains: .00x
CommandLine|contains: .0x
CommandLine|contains: '//0x'
Stage 3: 1 of selection_ip_2
CommandLine|contains: '%2e'
CommandLine|contains: 'http://%'
Stage 4: 1 of selection_ip_3
or:
CommandLine|re: ' [0-7]{7,13}'
CommandLine|re: 'https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}'
CommandLine|re: 'https?://0[0-9]{1,11}'
CommandLine|re: 'https?://0[0-9]{3,11}'
CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
Stage 5: not 1 of filter_main_valid_ip
CommandLine|re: 'https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
CommandLine | regex_match |
|
Image | ends_with |
|