attack.t1071.004

Chafer Activity
level
status experimental

Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018

DNSCat2 Powershell Implementation Detection Via Process Creation
level
status test

The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.

Silence.EDA Detection
level
status test

Detects Silence empireDNSagent

High TXT Records Requests Rate
level
status test

Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution

High NULL Records Requests Rate
level
status test

Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution

High DNS Requests Rate
level
status experimental

High DNS requests amount from host per short period of time

High DNS Requests Rate
level
status experimental

High DNS requests amount from host per short period of time

Possible DNS Tunneling
level
status test

Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.

Suspicious DNS Query with B64 Encoded String
level
status experimental

Detects suspicious DNS queries using base64 encoding

Cobalt Strike DNS Beaconing
level
status experimental

Detects suspicious DNS queries known from Cobalt Strike beacons

Suspicious Cobalt Strike DNS Beaconing
level
status experimental

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

DNS TXT Answer with Possible Execution Strings
level
status test

Detects strings used in command execution in DNS TXT Answer

DNS Tunnel Technique from MuddyWater
level
status test

Detecting DNS tunnel activity for Muddywater actor

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.