Suspicious DNS Query with B64 Encoded String

Detects suspicious DNS queries using base64 encoding

Sigma rule (View on GitHub)

 1title: Suspicious DNS Query with B64 Encoded String
 2id: 4153a907-2451-4e4f-a578-c52bb6881432
 3status: test
 4description: Detects suspicious DNS queries using base64 encoding
 5references:
 6    - https://github.com/krmaxwell/dns-exfiltration
 7author: Florian Roth (Nextron Systems)
 8date: 2018/05/10
 9modified: 2022/10/09
10tags:
11    - attack.exfiltration
12    - attack.t1048.003
13    - attack.command_and_control
14    - attack.t1071.004
15logsource:
16    category: dns
17detection:
18    selection:
19        query|contains: '==.'
20    condition: selection
21falsepositives:
22    - Unknown
23level: medium

References

Related rules

to-top