DNS TXT Answer with Possible Execution Strings

Aug 12, 2024 · attack.command-and-control attack.t1071.004 ·

Detects strings used in command execution in DNS TXT Answer

Sigma rule (View on GitHub)

 1title: DNS TXT Answer with Possible Execution Strings
 2id: 8ae51330-899c-4641-8125-e39f2e07da72
 3status: test
 4description: Detects strings used in command execution in DNS TXT Answer
 5references:
 6    - https://twitter.com/stvemillertime/status/1024707932447854592
 7    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
 8author: Markus Neis
 9date: 2018-08-08
10modified: 2021-11-27
11tags:
12    - attack.command-and-control
13    - attack.t1071.004
14logsource:
15    category: dns
16detection:
17    selection:
18        record_type: 'TXT'
19        answer|contains:
20            - 'IEX'
21            - 'Invoke-Expression'
22            - 'cmd.exe'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

x.com

Read More
nishang/Backdoors/DNS_TXT_Pwnage.ps1 at 414ee1104526d7057f9adaeee196d91ae447283e · samratashok/nishang

Nishang - Offensive PowerShell for red team, penetration testing and offensive security. - samratashok/nishang

Read More

DNS TXT Answer with Possible Execution Strings

Sigma rule (View on GitHub)

References

x.com

nishang/Backdoors/DNS_TXT_Pwnage.ps1 at 414ee1104526d7057f9adaeee196d91ae447283e · samratashok/nishang

Related rules