rules/windows/process_creation/win_dnscat2_powershell_implementation.yml

title: DNSCat2 Powershell Implementation Detection Via Process Creation
id: b11d75d6-d7c1-11ea-87d0-0242ac130003
status: test
description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
author: Cian Heasley
references:
  - https://github.com/lukebaggett/dnscat2-powershell
  - https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html
  - https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html
date: 2020/08/08
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\powershell.exe'
    Image|endswith: '\nslookup.exe'
    CommandLine|endswith: '\nslookup.exe'
  condition: selection | count(Image) by ParentImage > 100
fields:
  - Image
  - CommandLine
  - ParentImage
falsepositives:
  - Other powershell scripts that call nslookup.exe
level: high
tags:
  - attack.command_and_control
  - attack.t1071
  - attack.t1071.004
  - attack.t1001.003
  - attack.t1041
win_dnscat2_powershell_implementation.yml 2020-08-13 12:06:48 +01:00			`title: DNSCat2 Powershell Implementation Detection Via Process Creation`
			`id: b11d75d6-d7c1-11ea-87d0-0242ac130003`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
win_dnscat2_powershell_implementation.yml 2020-08-13 12:06:48 +01:00			`description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.`
			`author: Cian Heasley`
fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://github.com/lukebaggett/dnscat2-powershell`
			`- https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html`
			`- https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html`
win_dnscat2_powershell_implementation.yml 2020-08-13 12:06:48 +01:00			`date: 2020/08/08`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`modified: 2021/11/27`
win_dnscat2_powershell_implementation.yml 2020-08-13 12:06:48 +01:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
win_dnscat2_powershell_implementation.yml 2020-08-13 12:06:48 +01:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`ParentImage\|endswith: '\powershell.exe'`
			`Image\|endswith: '\nslookup.exe'`
			`CommandLine\|endswith: '\nslookup.exe'`
			`condition: selection \| count(Image) by ParentImage > 100`
win_dnscat2_powershell_implementation.yml 2020-08-13 12:06:48 +01:00			`fields:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Image`
			`- CommandLine`
			`- ParentImage`
win_dnscat2_powershell_implementation.yml 2020-08-13 12:06:48 +01:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Other powershell scripts that call nslookup.exe`
win_dnscat2_powershell_implementation.yml 2020-08-13 12:06:48 +01:00			`level: high`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.command_and_control`
			`- attack.t1071`
			`- attack.t1071.004`
			`- attack.t1001.003`
			`- attack.t1041`