Potential SocGholish Second Stage C2 DNS Query
Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
Sigma rule (View on GitHub)
1title: Potential SocGholish Second Stage C2 DNS Query
2id: 70761fe8-6aa2-4f80-98c1-a57049c08e66
3status: test
4description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
5references:
6 - https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations
7 - https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations
8 - https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update
9author: Dusty Miller
10date: 2023/02/23
11tags:
12 - attack.command_and_control
13 - attack.t1219
14 - detection.emerging_threats
15logsource:
16 product: windows
17 category: dns_query
18detection:
19 selection:
20 Image|endswith: '\wscript.exe'
21 QueryName|re: '[a-f0-9]{4,8}\.(?:[a-z0-9\-]+\.){2}[a-z0-9\-]+'
22 condition: selection
23falsepositives:
24 - Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)
25level: high
References
-
-
-
SocGholish malware is a very real threat from a very fake update. Proofpoint breaks down the threat, what it is, how it's delivered, and more.
Read More
Related rules
- Remote Access Tool - AnyDesk Piped Password Via CLI
- Remote Access Tool - Anydesk Execution From Suspicious Folder
- Remote Access Tool - NetSupport Execution
- Potential Amazon SSM Agent Hijacking
- Potential Linux Amazon SSM Agent Hijacking