security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
d19df2e4f7e7fa22ba5a441763d078d2aa851276
blue-team-tools/rules/windows/powershell/powershell_dnscat_execution.yml
T
yugoslavskiy 0db5436778 add tieto dns exfil rules
2019-11-10 20:27:21 +03:00

20 lines
496 B
YAML
Raw Blame History

title: Dnscat execution
description: Dnscat exfiltration tool execution
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
service: powershell
detection:
selection:
EventID: 4104
ScriptBlockText|contains: "Start-Dnscat2"
condition: selection
falsepositives:
- Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
level: medium
Reference in New Issue View Git Blame Copy Permalink