DPRK Threat Actor - C2 Communication DNS Indicators
Detects DNS queries for C2 domains used by DPRK Threat actors.
Sigma rule (View on GitHub)
1title: DPRK Threat Actor - C2 Communication DNS Indicators
2id: 4d16c9a6-4362-4863-9940-1dee35f1d70f
3status: experimental
4description: Detects DNS queries for C2 domains used by DPRK Threat actors.
5references:
6 - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2024/02/20
9tags:
10 - attack.command_and_control
11 - detection.emerging_threats
12logsource:
13 product: windows
14 category: dns_query
15detection:
16 selection:
17 QueryName:
18 - 'connection.lockscreen.kro.kr'
19 - 'updating.dothome.co.kr'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
-
%PDF-1.7 %���� 1 0 obj /Metadata 651 0 R/ViewerPreferences 652 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /Font /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.8] /Contents...
Read More
Related rules
- OilRig APT Schedule Task Persistence - System
- Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
- Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
- Potential Compromised 3CXDesktopApp ICO C2 File Download
- Potential Suspicious Child Process Of 3CXDesktopApp