Potential SocGholish Second Stage C2 DNS Query
Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
Sigma rule (View on GitHub)
1title: Potential SocGholish Second Stage C2 DNS Query
2id: 70761fe8-6aa2-4f80-98c1-a57049c08e66
3status: test
4description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
5references:
6 - https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations
7 - https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations
8 - https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update
9author: Dusty Miller
10date: 2023-02-23
11tags:
12 - attack.command-and-control
13 - attack.t1219
14 - detection.emerging-threats
15logsource:
16 product: windows
17 category: dns_query
18detection:
19 selection:
20 Image|endswith: '\wscript.exe'
21 QueryName|re: '[a-f0-9]{4,8}\.(?:[a-z0-9\-]+\.){2}[a-z0-9\-]+'
22 condition: selection
23falsepositives:
24 - Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)
25level: high
References
Related rules
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- DPRK Threat Actor - C2 Communication DNS Indicators
- Devil Bait Potential C2 Communication Traffic