Nslookup PowerShell Download Cradle
Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
Sigma rule (View on GitHub)
1title: Nslookup PowerShell Download Cradle
2id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
3related:
4 - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
5 type: similar
6status: test
7description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
8references:
9 - https://twitter.com/Alh4zr3d/status/1566489367232651264
10author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam
11date: 2022-12-10
12modified: 2025-02-25
13tags:
14 - attack.execution
15 - attack.t1059.001
16logsource:
17 product: windows
18 category: ps_classic_start
19detection:
20 selection:
21 Data|contains|all:
22 - 'powershell'
23 - 'nslookup'
24 - '[1]'
25 Data|contains:
26 - '-q=txt http'
27 - '-querytype=txt http'
28 - '-type=txt http'
29 condition: selection
30falsepositives:
31 - Unknown
32level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Potential BlackByte Ransomware Activity
- Renamed Powershell Under Powershell Channel
- Suspicious Non PowerShell WSMAN COM Provider
- PowerShell Core DLL Loaded By Non PowerShell Process
- Potentially Suspicious Command Executed Via Run Dialog Box - Registry