Emerging Threathighexperimental

DNS Query To Katz Stealer Domains

Detects DNS queries to domains associated with Katz Stealer malware. Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu May 229c3d6e32-f4c8-4d73-8b8f-95c3b383a13c2025

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsDNS Query

ProductWindows← raw: windows

CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic

detection:
    selection:
        QueryName|contains:
            - 'katz-panel.com'
            - 'katz-stealer.com'
            - 'katzstealer.com'
            - 'twist2katz.com'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Sub-techniques

T1071.004 · DNS

Other

detection.emerging-threats

Related Rules

SimilarEmerging Threathigh

DNS Query To Katz Stealer Domains - Network

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c

Status

experimental

Level

high

Type

Emerging Threat

Created

Thu May 22

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules-emerging-threats/2025/Malware/Katz-Stealer/dns_query_win_katz_stealer_domain.yml

Raw Tags

attack.command-and-controlattack.t1071.004detection.emerging-threats

View on GitHub