Suspicious DNS Query with B64 Encoded String
Detects suspicious DNS queries using base64 encoding
Sigma rule (View on GitHub)
1title: Suspicious DNS Query with B64 Encoded String
2id: 4153a907-2451-4e4f-a578-c52bb6881432
3status: test
4description: Detects suspicious DNS queries using base64 encoding
5references:
6 - https://github.com/krmaxwell/dns-exfiltration
7author: Florian Roth (Nextron Systems)
8date: 2018-05-10
9modified: 2022-10-09
10tags:
11 - attack.exfiltration
12 - attack.t1048.003
13 - attack.command-and-control
14 - attack.t1071.004
15logsource:
16 category: dns
17detection:
18 selection:
19 query|contains: '==.'
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
-
Exfiltrate files via DNS. Contribute to krmaxwell/dns-exfiltration development by creating an account on GitHub.
Read More
Related rules
- DNS Exfiltration and Tunneling Tools Execution
- High DNS Requests Rate
- High DNS Requests Rate - Firewall
- High NULL Records Requests Rate
- High TXT Records Requests Rate