DPRK Threat Actor - C2 Communication DNS Indicators
Detects DNS queries for C2 domains used by DPRK Threat actors.
Sigma rule (View on GitHub)
1title: DPRK Threat Actor - C2 Communication DNS Indicators
2id: 4d16c9a6-4362-4863-9940-1dee35f1d70f
3status: experimental
4description: Detects DNS queries for C2 domains used by DPRK Threat actors.
5references:
6 - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2024-02-20
9tags:
10 - attack.command-and-control
11 - detection.emerging-threats
12logsource:
13 product: windows
14 category: dns_query
15detection:
16 selection:
17 QueryName:
18 - 'connection.lockscreen.kro.kr'
19 - 'updating.dothome.co.kr'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
Related rules
- Devil Bait Potential C2 Communication Traffic
- Equation Group C2 Communication
- GALLIUM Artefacts - Builtin
- Goofy Guineapig Backdoor Potential C2 Communication
- Greenbug Espionage Group Indicators