Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.

Read More

Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such network connections can also help identify potential malicious infrastructure used by threat actors

Read More

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Read More

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Read More

Detects OilRig activity as reported by Nyotron in their March 2018 report

Read More

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.

Read More

Detects DNS queries to domains associated with Katz Stealer malware. Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.

Read More

Detects DNS queries to domains associated with Katz Stealer malware. Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.

Read More

Detects suspicious DNS queries known from Cobalt Strike beacons

Read More

Well-known DNS Exfiltration tools execution

Read More

Detects strings used in command execution in DNS TXT Answer

Read More

Detects Silence EmpireDNSAgent as described in the Group-IP report

Read More

Detects suspicious DNS queries using base64 encoding

Read More

The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.

Read More

High DNS requests amount from host per short period of time

Read More

High DNS requests amount from host per short period of time

Read More

Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution

Read More

Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution

Read More

Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.

Read More

Detects DNS queries from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects file creations by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects network connections from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More