attack.t1071.004

The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.

High DNS Requests Rate

Apr 21, 2023 · attack.exfiltration attack.t1048.003 attack.command_and_control attack.t1071.004 ·

Share on:

High DNS requests amount from host per short period of time

High DNS Requests Rate - Firewall

Apr 21, 2023 · attack.exfiltration attack.t1048.003 attack.command_and_control attack.t1071.004 ·

Share on:

High DNS requests amount from host per short period of time

High NULL Records Requests Rate

Apr 21, 2023 · attack.exfiltration attack.t1048.003 attack.command_and_control attack.t1071.004 ·

Share on:

Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution

High TXT Records Requests Rate

Apr 21, 2023 · attack.exfiltration attack.t1048.003 attack.command_and_control attack.t1071.004 ·

Share on:

Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution

Possible DNS Tunneling

Apr 21, 2023 · attack.command_and_control attack.t1071.004 attack.exfiltration attack.t1048.003 ·

Share on:

Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.

DNS Query From Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects DNS queries from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Download by Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

File Creation by Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects file creations by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Network Connection From Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects network connections from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.