title: DNS TXT Answer with possible execution strings    
status: experimental
description: Detects strings used in command execution in DNS TXT Answer 
references:
    - https://twitter.com/stvemillertime/status/1024707932447854592
    - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
tags:
    - attack.t1071
author: Markus Neis
date: 2018/08/08
logsource:
    category: dns
detection:
    selection:
            record_type: 'TXT'
            answer:
                - '*IEX*'
                - '*Invoke-Expression*'
                - '*cmd.exe*'
    condition: selection
falsepositives:
    - Unknown
level: high