Powershell DNSExfiltration

 1title: Powershell DNSExfiltration
 2id: d59d7842-9a21-4bc6-ba98-64bfe0091355
 3status: test
 4description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
 7    - https://github.com/Arno0x/DNSExfiltrator
 8author: frack113
 9date: 2022-01-07
10tags:
11    - attack.exfiltration
12    - attack.t1048
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection_cmdlet:
19        - ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
20        - ScriptBlockText|contains|all:
21              - ' -i '
22              - ' -d '
23              - ' -p '
24              - ' -doh '
25              - ' -t '
26    condition: selection_cmdlet
27falsepositives:
28    - Legitimate script
29level: high

References

• atomic-red-team/atomics/T1048/T1048.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• GitHub - Arno0x/DNSExfiltrator: Data exfiltration over DNS request covert channel

  

  Data exfiltration over DNS request covert channel. Contribute to Arno0x/DNSExfiltrator development by creating an account on GitHub.

  
  Read More

Related rules

• Copy From Or To Admin Share Or Sysvol Folder
• DNS TOR Proxies
• Suspicious Redirection to Local Admin Share
• Tap Driver Installation
• Tap Driver Installation - Security