title: Ping Hex IP description: Detects a ping command that uses a hex encoded IP address references: - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna - https://twitter.com/vysecurity/status/977198418354491392 author: Florian Roth date: 2018/03/23 tags: - attack.defense_evasion - attack.t1140 - attack.t1027 logsource: category: process_creation product: windows detection: selection: CommandLine: - '*\ping.exe 0x*' - '*\ping 0x*' condition: selection fields: - ParentCommandLine falsepositives: - Unlikely, because no sane admin pings IP addresses in a hexadecimal form level: high