Detectionhightest

DNS TXT Answer with Possible Execution Strings

Detects strings used in command execution in DNS TXT Answer

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Markus NeisCreated Wed Aug 08Updated Sat Nov 278ae51330-899c-4641-8125-e39f2e07da72network

Log Source

dns

Categorydns← raw: dns

Detection Logic

detection:
    selection:
        record_type: 'TXT'
        answer|contains:
            - 'IEX'
            - 'Invoke-Expression'
            - 'cmd.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Sub-techniques

T1071.004 · DNS

Rule Metadata

Rule ID

8ae51330-899c-4641-8125-e39f2e07da72

Status

test

Level

high

Type

Detection

Created

Wed Aug 08

Modified

Sat Nov 27

Author

Markus Neis

Path

rules/network/dns/net_dns_susp_txt_exec_strings.yml

Raw Tags

attack.command-and-controlattack.t1071.004

View on GitHub