valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0489d4bfa4
SigmaHQ/rules/network/net_susp_dns_b64_queries.yml
Mike Wade 1ddba05eb2 Second round
2020-09-15 07:02:30 -06:00

26 lines
638 B
YAML
Raw Blame History

title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
status: experimental
description: Detects suspicious DNS queries using base64 encoding
author: Florian Roth
date: 2018/05/10
modified: 2020/08/27
references:
- https://github.com/krmaxwell/dns-exfiltration
logsource:
category: dns
detection:
selection:
query:
- '*==.*'
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.exfiltration
- attack.t1048 # an old one
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
Reference in New Issue View Git Blame Copy Permalink