security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #315 from P4T12ICK/feature/net_dnc_c2_detection

Browse Source 
New C2 DNS Tunneling Sigma Detection Rule
This commit is contained in:
Thomas Patzke
2019-05-10 00:12:39 +02:00
committed by GitHub
parent c50119b913 a85acdfd02
commit 56f64ca47d
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/network/net_dns_c2_detection.yml
+19
View File
@@ -0,0 +1,19 @@
title: Possible DNS Tunneling
status: experimental
description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
references:
- https://zeltser.com/c2-dns-tunneling/
- https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
author: Patrick Bareiss
date: 2019/04/07
logsource:
product: dns
detection:
selection:
parent_domain: '*'
condition: selection | count(dns_query) by parent_domain > 1000
falsepositives:
- Valid software, which uses dns for transferring data
level: high
tags:
- attack.t1043