Skip to content

Commit

Permalink
Create sysmon_apt_muddywater_dnstunnel.yml
Browse files Browse the repository at this point in the history 
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
  • Loading branch information
@caliskanfurkan
caliskanfurkan authored Jun 4, 2020
1 parent d97d2ce commit 09afae1
Showing 1 changed file with 26 additions and 0 deletions.
26 changes: 26 additions & 0 deletions rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
title: "Muddywater DNS tunnel method detection"
description: "Detecting DNS tunnel activity from Muddywater"
author: Furkan Caliskan
status: "testing"
references:
- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
tags:
- attack.command_and_control
- attack.t1071
logsource:
product: "windows"
service: "sysmon"
detection:
selection:
EventID: 1
Image|endswith:
- '\powershell.exe'
ParentImage|endswith:
- '\excel.exe'
CommandLine|contains:
- 'DataExchange.dll'
condition: selection
falsepositives:
- Unkown
level: medium

0 comments on commit 09afae1

Please sign in to comment.