DNSCat2 Powershell Implementation Detection Via Process Creation
The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
Sigma rule (View on GitHub)
1title: DNSCat2 Powershell Implementation Detection Via Process Creation
2id: b11d75d6-d7c1-11ea-87d0-0242ac130003
3status: unsupported
4description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
5references:
6 - https://github.com/lukebaggett/dnscat2-powershell
7 - https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html
8 - https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html
9author: Cian Heasley
10date: 2020/08/08
11modified: 2023/02/24
12tags:
13 - attack.command_and_control
14 - attack.t1071
15 - attack.t1071.004
16 - attack.t1001.003
17 - attack.t1041
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 ParentImage|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 Image|endswith: '\nslookup.exe'
27 CommandLine|endswith: '\nslookup.exe'
28 condition: selection | count(Image) by ParentImage > 100
29fields:
30 - Image
31 - CommandLine
32 - ParentImage
33falsepositives:
34 - Other powershell scripts that call nslookup.exe
35level: high
References
Related rules
- DNS Query From Process with Double File Extension
- Download by Process with Double File Extension
- File Creation by Process with Double File Extension
- Network Connection From Process with Double File Extension
- High DNS Requests Rate