Potential Operation Triangulation C2 Beaconing Activity - DNS

Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB

Sigma rule (View on GitHub)

 1title: Potential Operation Triangulation C2 Beaconing Activity - DNS
 2id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7
 3related:
 4    - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2
 5      type: similar
 6status: experimental
 7description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
 8references:
 9    - https://securelist.com/operation-triangulation/109842/
10    - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp
11author: Florian Roth (Nextron Systems)
12date: 2023/06/01
13tags:
14    - attack.command_and_control
15    - attack.g0020
16    - detection.emerging_threats
17logsource:
18    category: dns
19detection:
20    selection:
21        query:
22            - 'addatamarket.net'
23            - 'ans7tv.net'
24            - 'anstv.net'
25            - 'backuprabbit.com'
26            - 'businessvideonews.com'
27            - 'cloudsponcer.com'
28            - 'datamarketplace.net'
29            - 'growthtransport.com'
30            - 'mobilegamerstats.com'
31            - 'snoweeanalytics.com'
32            - 'tagclick-cdn.com'
33            - 'topographyupdates.com'
34            - 'unlimitedteacup.com'
35            - 'virtuallaughing.com'
36            - 'web-trackers.com'
37    condition: selection
38falsepositives:
39    - Unknown
40level: high

References

Related rules

to-top