security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
34ea706e4fe91c8a2c7ae11b953407e1dd67a319
blue-team-tools/rules/network/net_susp_dns_txt_exec_strings.yml
T
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00

26 lines
689 B
YAML
Raw Blame History

title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: experimental
description: Detects strings used in command execution in DNS TXT Answer
references:
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
tags:
- attack.t1071
- attack.t1071.004
author: Markus Neis
date: 2018/08/08
logsource:
category: dns
detection:
selection:
record_type: 'TXT'
answer:
- '*IEX*'
- '*Invoke-Expression*'
- '*cmd.exe*'
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink