security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/network/net_susp_dns_b64_queries.yml
T
frack113 4631d0c482 remove invalid tag
2022-01-19 18:23:30 +01:00

24 lines
568 B
YAML
Raw Blame History

title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
status: experimental
description: Detects suspicious DNS queries using base64 encoding
author: Florian Roth
date: 2018/05/10
modified: 2021/08/09
references:
- https://github.com/krmaxwell/dns-exfiltration
logsource:
category: dns
detection:
selection:
query|contains: '==.'
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.exfiltration
- attack.t1048.003
- attack.command_and_control
- attack.t1071.004
Reference in New Issue View Git Blame Copy Permalink