valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-09 02:26:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a38c021876
SigmaHQ/rules/windows/powershell/powershell_dnscat_execution.yml

25 lines
639 B
YAML
Raw Normal View History

Rule fixes Made tests pass the new CI tests. Added further allowed lower case words in rule test.
2020-02-20 22:00:16 +00:00
title: Dnscat Execution
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.
2019-12-19 22:56:36 +00:00
id: a6d67db4-6220-436d-8afc-f3842fe05d43
add tieto dns exfiltration rules
2019-10-25 02:30:55 +00:00
description: Dnscat exfiltration tool execution
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
att&ck tags review: windows/powershell, windows/process_access, windows/network_connection
2020-08-24 23:31:26 +00:00
modified: 2020/08/24
add tieto dns exfiltration rules
2019-10-25 02:30:55 +00:00
tags:
- attack.exfiltration
- attack.t1048
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future.
2020-08-24 00:01:50 +00:00
- attack.execution
- attack.t1059.001
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
- attack.t1086 # an old one
add tieto dns exfiltration rules
2019-10-25 02:30:55 +00:00
logsource:
product: windows
service: powershell
detection:
selection:
EventID: 4104
add tieto dns exfil rules
2019-11-10 17:27:21 +00:00
ScriptBlockText|contains: "Start-Dnscat2"
add tieto dns exfiltration rules
2019-10-25 02:30:55 +00:00
condition: selection
falsepositives:
- Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
OSCD QA wave 3
2020-01-19 21:34:16 +00:00
level: critical
Reference in New Issue Copy Permalink