SigmaHQ/rules/network/net_susp_dns_txt_exec_strings.yml

title: DNS TXT Answer with possible execution strings    
status: experimental
description: Detects strings used in command execution in DNS TXT Answer 
references:
    - https://twitter.com/stvemillertime/status/1024707932447854592
    - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
tags:
    - attack.t1071
author: Markus Neis
date: 2018/08/08
logsource:
    category: dns
detection:
    selection:
        -
            record_type: 'TXT'
            answer:
                - '*IEX*'
                - '*Invoke-Expression*'
                - '*cmd.exe*'
    condition: selection
falsepositives:
    - Unknown
level: high
DNS TXT Answer with possible execution strings https://twitter.com/stvemillertime/status/1024707932447854592 2018-08-08 13:51:56 +00:00			`title: DNS TXT Answer with possible execution strings`
			`status: experimental`
			`description: Detects strings used in command execution in DNS TXT Answer`
			`references:`
			`- https://twitter.com/stvemillertime/status/1024707932447854592`
			`- https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1`
			`tags:`
Fixed ATT&CK tagging 2018-08-08 13:58:19 +00:00			`- attack.t1071`
DNS TXT Answer with possible execution strings https://twitter.com/stvemillertime/status/1024707932447854592 2018-08-08 13:51:56 +00:00			`author: Markus Neis`
			`date: 2018/08/08`
			`logsource:`
			`category: dns`
			`detection:`
			`selection:`
Update net_susp_dns_txt_exec_strings.yml Fixed my botched YAML syntax... 2019-04-04 06:35:37 +00:00			`-`
			`record_type: 'TXT'`
			`answer:`
			`- 'IEX'`
			`- 'Invoke-Expression'`
			`- 'cmd.exe'`
DNS TXT Answer with possible execution strings https://twitter.com/stvemillertime/status/1024707932447854592 2018-08-08 13:51:56 +00:00			`condition: selection`
			`falsepositives:`
			`- Unknown`
			`level: high`