DNSCat2 Powershell Implementation Detection Via Process Creation

calendar Apr 21, 2023 · attack.command_and_control attack.t1071 attack.t1071.004 attack.t1001.003 attack.t1041  ·
Share on: linkedin copy

The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.

Sigma rule (View on GitHub)

 1title: DNSCat2 Powershell Implementation Detection Via Process Creation
 2id: b11d75d6-d7c1-11ea-87d0-0242ac130003
 3status: unsupported
 4description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
 5references:
 6    - https://github.com/lukebaggett/dnscat2-powershell
 7    - https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html
 8    - https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html
 9author: Cian Heasley
10date: 2020/08/08
11modified: 2023/02/24
12tags:
13    - attack.command_and_control
14    - attack.t1071
15    - attack.t1071.004
16    - attack.t1001.003
17    - attack.t1041
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        ParentImage|endswith:
24            - '\powershell.exe'
25            - '\pwsh.exe'
26        Image|endswith: '\nslookup.exe'
27        CommandLine|endswith: '\nslookup.exe'
28    condition: selection | count(Image) by ParentImage > 100
29fields:
30    - Image
31    - CommandLine
32    - ParentImage
33falsepositives:
34    - Other powershell scripts that call nslookup.exe
35level: high

References

Related rules

to-top