Potential SocGholish Second Stage C2 DNS Query

Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic

Sigma rule (View on GitHub)

 1title: Potential SocGholish Second Stage C2 DNS Query
 2id: 70761fe8-6aa2-4f80-98c1-a57049c08e66
 3status: test
 4description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
 5references:
 6    - https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations
 7    - https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations
 8    - https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update
 9author: Dusty Miller
10date: 2023-02-23
11tags:
12    - attack.command-and-control
13    - attack.t1219
14    - detection.emerging-threats
15logsource:
16    product: windows
17    category: dns_query
18detection:
19    selection:
20        Image|endswith: '\wscript.exe'
21        QueryName|re: '[a-f0-9]{4,8}\.(?:[a-z0-9\-]+\.){2}[a-z0-9\-]+'
22    condition: selection
23falsepositives:
24    - Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)
25level: high

References

Related rules

to-top