valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7f3f1944d9
SigmaHQ/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml

21 lines
573 B
YAML
Raw Normal View History

add tieto dns exfiltration rules
2019-10-25 02:30:55 +00:00
title: DNS exfiltration tools execution
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.
2019-12-19 22:56:36 +00:00
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
add tieto dns exfiltration rules
2019-10-25 02:30:55 +00:00
description: Well-known DNS Exfiltration tools execution
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection:
add tieto dns exfil rules
2019-11-10 17:27:21 +00:00
- Image|endswith: '*\iodine.exe'
- Image|contains: '\dnscat2'
add tieto dns exfiltration rules
2019-10-25 02:30:55 +00:00
condition: selection
falsepositives:
- Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely)
OSCD QA wave 3
2020-01-19 21:34:16 +00:00
level: high
Reference in New Issue Copy Permalink