valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #145 from yt0ng/master

Browse Source 
DNS TXT Answer with possible execution strings
This commit is contained in:
Thomas Patzke 2018-08-08 15:58:34 +02:00 committed by GitHub
commit 01215a645e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
rules/network/net_susp_dns_txt_exec_strings.yml Normal file
View File

@ -0,0 +1,22 @@
title: DNS TXT Answer with possible execution strings
status: experimental
description: Detects strings used in command execution in DNS TXT Answer
references:
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
tags:
- attack.t1071
author: Markus Neis
date: 2018/08/08
logsource:
category: dns
detection:
selection:
answer:
- '*IEX*'
- '*Invoke-Expression*'
- '*cmd.exe*'
condition: selection
falsepositives:
- Unknown
level: high