Nslookup Local

calendar Jan 9, 2023 · attack.discovery attack.t1016  ·
Share on: linkedin copy

Detects use of nslookup to look up the local nameserver as part of host discovery

Sigma rule (View on GitHub)

 1title: Nslookup Local
 2id: ffef5004-f1ec-48bb-8662-8dfd4f9a4902
 3status: Experimental
 4description: Detects use of nslookup to look up the local nameserver as part of host discovery
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup
 8  - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts
 9date: 2023/01/08
10logsource:
11  category: process_creation
12  product: windows
13detection:
14  selection:
15    Image|endswith:
16      - '\nslookup.exe'
17    CommandLine|contains:
18      - '127.0.0.1'
19    ParentImage|endswith:
20      - '\cmd.exe'
21    ParentCommandLine|contains:
22      - '/c'
23  condition: selection
24fields:
25  - CommandLine
26  - ParentCommandLine
27falsepositives:
28  - Administrators, helpdesk
29level: high
30tags:
31  - attack.discovery
32  - attack.t1016

References

  • nslookup

    Reference article for the nslookup command, which displays information that you can use to diagnose Domain Name System (DNS) infrastructure.


    Read More

  • Unwrapping Ursnifs Gifts - The DFIR Report

    In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment … Read More


    Read More

Related rules

to-top