Emerging Threathightest
Potential SocGholish Second Stage C2 DNS Query
Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsDNS Query
ProductWindows← raw: windows
CategoryDNS Query← raw: dns_query
DNS lookup events generated by endpoint monitoring tools.
Detection Logic
Detection Logic1 selector
detection:
selection:
Image|endswith: '\wscript.exe'
QueryName|re: '[a-f0-9]{4,8}\.(?:[a-z0-9\-]+\.){2}[a-z0-9\-]+'
condition: selectionFalse Positives
Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)
MITRE ATT&CK
Tactics
Other
attack.t1219.002detection.emerging-threats
Rule Metadata
Rule ID
70761fe8-6aa2-4f80-98c1-a57049c08e66
Status
test
Level
high
Type
Emerging Threat
Created
Thu Feb 23
Author
Path
rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml
Raw Tags
attack.command-and-controlattack.t1219.002detection.emerging-threats