security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
07cf7ae5fa300bcbf7b4a61cd92f366c04d8a939
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml
T
frack113 1e5ae09c4b Order yaml field
2022-10-26 09:43:39 +02:00

24 lines
637 B
YAML
Raw Blame History

title: Dnscat Execution
id: a6d67db4-6220-436d-8afc-f3842fe05d43
status: experimental
description: Dnscat exfiltration tool execution
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
modified: 2021/10/16
tags:
- attack.exfiltration
- attack.t1048
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection:
ScriptBlockText|contains: 'Start-Dnscat2'
condition: selection
falsepositives:
- Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
level: critical
Reference in New Issue View Git Blame Copy Permalink