Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Nslookup PowerShell Download Cradle

Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Sai Prashanth Pulisetti, Aishwarya SingamCreated Sat Dec 10Updated Tue Feb 25999bff6d-dc15-44c9-9f5c-e1051bfc86e1windows
Log Source
WindowsPowerShell Classic
ProductWindows← raw: windows
CategoryPowerShell Classic← raw: ps_classic_start
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Data|contains|all:
            - 'powershell'
            - 'nslookup'
            - '[1]'
        Data|contains:
            - '-q=txt http'
            - '-querytype=txt http'
            - '-type=txt http'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
twitter.com
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

Nslookup PowerShell Download Cradle - ProcessCreation

Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
999bff6d-dc15-44c9-9f5c-e1051bfc86e1
Status
test
Level
medium
Type
Detection
Created
Sat Dec 10
Modified
Tue Feb 25
Author
Sai Prashanth Pulisetti, Aishwarya Singam
Path
rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml
Raw Tags
attack.executionattack.t1059.001
View on GitHub