Detects usage of the Chisel tunneling tool via the commandline arguments
title: PUA - Chisel Tunneling Tool Execution
id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
related:
- id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
type: similar
status: test
description: Detects usage of the Chisel tunneling tool via the commandline arguments
references:
- https://github.com/jpillora/chisel/
- https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
- https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
author: Florian Roth (Nextron Systems)
date: 2022-09-13
modified: 2023-02-13
tags:
- attack.command-and-control
- attack.t1090.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\chisel.exe'
selection_param1:
CommandLine|contains:
- 'exe client '
- 'exe server '
selection_param2:
CommandLine|contains:
- '-socks5'
- '-reverse'
- ' r:'
- ':127.0.0.1:'
- '-tls-skip-verify '
- ':socks'
condition: selection_img or all of selection_param*
falsepositives:
- Some false positives may occur with other tools with similar commandlines
level: high
imProcessCreate
| where TargetProcessName endswith "\\chisel.exe" or ((TargetProcessCommandLine contains "exe client " or TargetProcessCommandLine contains "exe server ") and (TargetProcessCommandLine contains "-socks5" or TargetProcessCommandLine contains "-reverse" or TargetProcessCommandLine contains " r:" or TargetProcessCommandLine contains ":127.0.0.1:" or TargetProcessCommandLine contains "-tls-skip-verify " or TargetProcessCommandLine contains ":socks"))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |