valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7ad0887704
SigmaHQ/rules/network/net_susp_dns_b64_queries.yml
frack113 fc64b8b937 Split PR 1802 fix net rules
2021-08-09 17:23:15 +02:00

26 lines
632 B
YAML
Raw Blame History

title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
status: experimental
description: Detects suspicious DNS queries using base64 encoding
author: Florian Roth
date: 2018/05/10
modified: 2021/08/09
references:
- https://github.com/krmaxwell/dns-exfiltration
logsource:
category: dns
detection:
selection:
query|contains: '==.'
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.exfiltration
- attack.t1048 # an old one
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
Reference in New Issue View Git Blame Copy Permalink