DPRK Threat Actor - C2 Communication DNS Indicators
Detects DNS queries for C2 domains used by DPRK Threat actors.
Sigma rule (View on GitHub)
1title: DPRK Threat Actor - C2 Communication DNS Indicators
2id: 4d16c9a6-4362-4863-9940-1dee35f1d70f
3status: experimental
4description: Detects DNS queries for C2 domains used by DPRK Threat actors.
5references:
6 - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2024/02/20
9tags:
10 - attack.command_and_control
11 - detection.emerging_threats
12logsource:
13 product: windows
14 category: dns_query
15detection:
16 selection:
17 QueryName:
18 - 'connection.lockscreen.kro.kr'
19 - 'updating.dothome.co.kr'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
Related rules
- OilRig APT Schedule Task Persistence - System
- Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
- Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
- Potential Compromised 3CXDesktopApp ICO C2 File Download
- Potential Suspicious Child Process Of 3CXDesktopApp