Suspicious DNS Query with B64 Encoded String

level
status experimental

Detects suspicious DNS queries using base64 encoding

Known false-positives

  • Unknown

References

Raw rule (edit)

title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
status: experimental
description: Detects suspicious DNS queries using base64 encoding
author: Florian Roth
date: 2018/05/10
modified: 2021/08/09
references:
    - https://github.com/krmaxwell/dns-exfiltration
logsource:
    category: dns
detection:
    selection:
        query|contains: '==.'
    condition: selection
falsepositives:
    - Unknown
level: medium
tags:
    - attack.exfiltration
    - attack.t1048.003
    - attack.command_and_control
    - attack.t1071.004

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.