Blu3_Team

I recently took a look at Powershell DNS C2 and found a couple of interesting things. The special case of DNS requests from powershell should be easy enough to identify using an EDR. Using splunk and stats just look for multiple remote port 53 occurrances from powershell. There will be a few but DNS c2 is noisy so a large limit can be used for filtering. Next I took a look at DNSCat https://github.com/lukebaggett/dnscat2-powershell Interestingly powershell does not make the dns request directly but spawns nslookup to do it. Easy enough to make a signature for that. Again, powershell calling nslookup will occur legitimately, but a large filter for occurrences will filter those out. index=edr powershell.exe nslookup.exe parent_path=*\\powershell.exe | stats values(command_line) count by computer_name parent_process_guid | where count>10 Next I went back to some old Oilrig samples which used DNS C2. Nothing new here, just multiple DNS requests directly from powershell. B

https://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html Vitali and others have noted that trickbot is running reconn commands. I finally saw them in action and these happen to be children of svchost so I did a quick sig and it looks pretty reliable and quiet. Nothing fancy, just looking for cmd.exe as a child of svchost.exe with common reconn command lines. index=edr svchost.exe process_path=*\\cmd.exe parent_path=*\\svchost.exe  (ipconfig OR "net view" OR "net config" OR nltest OR whoami OR hostname OR tasklist ) | stats values(command_line) count by computer_name process_path Using stats to group the command lines for visibility Previously I had done something more complex based on the JPCERT analysis to detect reconn more generally. https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html @Cyb3rops did this in a very similar manner way before I did. https://github.com/Neo23x0/sigma/blob/master/rules/windo