From b477255abebf885326784d0cf1a14e9f22b1cd99 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 7 Dec 2020 20:16:17 +0100 Subject: [PATCH] [New Rule] Potential DNS Tunneling with Nslookup (#522) * [New Rule] Potential DNS Tunneling with Nslookup * adjusted tags * Update rules/windows/command_and_control_dns_tunneling_nslookup.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/command_and_control_dns_tunneling_nslookup.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * ecs_version * Update rules/windows/command_and_control_dns_tunneling_nslookup.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/command_and_control_dns_tunneling_nslookup.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...nd_and_control_dns_tunneling_nslookup.toml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 rules/windows/command_and_control_dns_tunneling_nslookup.toml diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml new file mode 100644 index 000000000..dab12bf42 --- /dev/null +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -0,0 +1,45 @@ +[metadata] +creation_date = "2020/11/11" +maturity = "production" +updated_date = "2020/11/11" + +[rule] +author = ["Elastic"] +description = """ +This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This +may indicate command and control activity utilizing the DNS protocol. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Potential DNS Tunneling via NsLookup" +references = ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"] +risk_score = 47 +rule_id = "3a59fc81-99d3-47ea-8cd6-d48d561fca20" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] +type = "threshold" + +query = ''' +event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[rule.threshold] +field = "host.id" +value = 15 +