Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Powershell DNSExfiltration

DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Fri Jan 07d59d7842-9a21-4bc6-ba98-64bfe0091355windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic1 selector
detection:
    selection_cmdlet:
        - ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
        - ScriptBlockText|contains|all:
              - ' -i '
              - ' -d '
              - ' -p '
              - ' -doh '
              - ' -t '
    condition: selection_cmdlet
False Positives

Legitimate script

References
1
Resolving title…
github.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
d59d7842-9a21-4bc6-ba98-64bfe0091355
Status
test
Level
high
Type
Detection
Created
Fri Jan 07
Author
François Hubaut
Path
rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml
Raw Tags
attack.exfiltrationattack.t1048
View on GitHub