DNS TXT Answer with Possible Execution Strings

Detects strings used in command execution in DNS TXT Answer

Sigma rule (View on GitHub)

 1title: DNS TXT Answer with Possible Execution Strings
 2id: 8ae51330-899c-4641-8125-e39f2e07da72
 3status: test
 4description: Detects strings used in command execution in DNS TXT Answer
 5references:
 6    - https://twitter.com/stvemillertime/status/1024707932447854592
 7    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
 8author: Markus Neis
 9date: 2018/08/08
10modified: 2021/11/27
11tags:
12    - attack.command_and_control
13    - attack.t1071.004
14logsource:
15    category: dns
16detection:
17    selection:
18        record_type: 'TXT'
19        answer|contains:
20            - 'IEX'
21            - 'Invoke-Expression'
22            - 'cmd.exe'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top