Detectionlowtest

New Kind of Network (NKN) Detection

NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Michael PorteraCreated Thu Apr 21fa7703d6-0ee8-4949-889c-48c84bc15b6fnetwork

Log Source

Zeek (Bro)dns

ProductZeek (Bro)← raw: zeek

Servicedns← raw: dns

Detection Logic

detection:
    selection:
        query|contains|all:
            - 'seed'
            - '.nkn.org'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

Resolving title…

unit42.paloaltonetworks.com

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Rule Metadata

Rule ID

fa7703d6-0ee8-4949-889c-48c84bc15b6f

Status

test

Level

low

Type

Detection

Created

Thu Apr 21

Author

Michael Portera

Path

rules/network/zeek/zeek_dns_nkn.yml

Raw Tags

attack.command-and-control

View on GitHub