Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile: base/network.toml

Source

  • Original path: profiles/base/network.toml

Profile (TOML)

# Network Operations Profile
# Detects network-related operations and potential data exfiltration

decode = ["base64", "percent-encoding"]

[[patterns]]
  name = "HTTP URL"
  pattern = "https?://(?:[a-zA-Z0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"
  type = "regex"

[[patterns]]
  name = "FTP URL"
  pattern = "ftp://(?:[a-zA-Z0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"
  type = "regex"

[[patterns]]
  name = "WebSocket URL"
  pattern = "wss?://(?:[a-zA-Z0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"
  type = "regex"

[[patterns]]
  name = "Socket Connection"
  pattern = "(?:socket\\.(?:socket|connect)|new\\s+Socket|ServerSocket|DatagramSocket)"
  type = "regex"

[[patterns]]
  name = "URL Connection"
  pattern = "(?:URL|HttpURLConnection|URLConnection|HttpClient)\\.(?:openConnection|connect)"
  type = "regex"

[[patterns]]
  name = "wget Command"
  pattern = "wget\\s+(?:-[a-zA-Z0-9]+\\s+)*https?://"
  type = "regex"

[[patterns]]
  name = "curl Command"
  pattern = "curl\\s+(?:-[a-zA-Z0-9]+\\s+)*https?://"
  type = "regex"

[[patterns]]
  name = "Netcat Usage"
  pattern = "(?:nc|netcat)\\s+-[a-z]*[el]"
  type = "regex"

[[patterns]]
  name = "DNS Query"
  pattern = "(?:nslookup|dig|host)\\s+[a-zA-Z0-9.-]+"
  type = "regex"

[[patterns]]
  name = "Port Scanning"
  pattern = "(?:nmap|masscan|zmap)\\s+"
  type = "regex"

[[patterns]]
  name = "Proxy Configuration"
  pattern = "(?:proxy|socks)\\s*[:=]\\s*(?:https?://)?[a-zA-Z0-9.-]+:[0-9]+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Base64 Encoded URL"
  pattern = "aHR0c(?:HM6|DovL)[A-Za-z0-9+/=]+"
  type = "regex"

[[patterns]]
  name = "Data Exfiltration (POST)"
  pattern = "POST\\s+/.*\\s+HTTP/1\\.[01]"
  type = "regex"

[[patterns]]
  name = "HTTP Header Manipulation"
  pattern = "(?:setRequestHeader|addHeader|setHeader)\\("
  type = "regex"

[[patterns]]
  name = "Cookie Manipulation"
  pattern = "document\\.cookie\\s*="
  type = "regex"

[[patterns]]
  name = "XMLHttpRequest"
  pattern = "new\\s+XMLHttpRequest\\(\\)"
  type = "regex"

[[patterns]]
  name = "Fetch API"
  pattern = "fetch\\s*\\("
  type = "regex"

[[patterns]]
  name = "Network Interface"
  pattern = "NetworkInterface\\.getNetworkInterfaces\\(\\)"
  type = "regex"

[[patterns]]
  name = "IP Configuration"
  pattern = "(?:ifconfig|ipconfig|ip\\s+addr)"
  type = "regex"

[[patterns]]
  name = "Remote Desktop"
  pattern = "(?:rdp|vnc|teamviewer|anydesk)://[a-zA-Z0-9.-]+(?::[0-9]+)?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "SSH Connection"
  pattern = "ssh\\s+(?:[a-zA-Z0-9._-]+@)?[a-zA-Z0-9.-]+"
  type = "regex"

[[patterns]]
  name = "Localhost Connection"
  pattern = "(?:localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0|\\[::\\]):[0-9]+"
  type = "regex"

[[patterns]]
  name = "C2 Beacon Pattern"
  pattern = "(?:beacon|heartbeat|checkin).*https?://"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Files with Multiple Network Operations"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as net_ops FROM pattern_matches WHERE pattern_name LIKE '%URL%' OR pattern_name LIKE '%Socket%' OR pattern_name LIKE '%Connection%' GROUP BY sha256 HAVING net_ops > 3"

[[signatures]]
  name = "Potential Data Exfiltration"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Data Exfiltration (POST)', 'Base64 Encoded URL', 'HTTP URL')"