Nslookup PowerShell Download Cradle

calendar Oct 28, 2023 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.

Sigma rule (View on GitHub)

 1title: Nslookup PowerShell Download Cradle
 2id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
 3related:
 4    - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
 5      type: similar
 6status: test
 7description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
 8references:
 9    - https://twitter.com/Alh4zr3d/status/1566489367232651264
10author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam
11date: 2022/12/10
12modified: 2023/10/27
13tags:
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    product: windows
18    category: ps_classic_start
19detection:
20    selection:
21        Data|contains|all:
22            - 'powershell'
23            - 'nslookup'
24            - '[1]'
25        Data|contains:
26            - '-q=txt http'
27            - '-querytype=txt http'
28    condition: selection
29falsepositives:
30    - Unknown
31level: medium

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top