Powershell DNS C2 Notes
I recently took a look at Powershell DNS C2 and found a couple of interesting things. The special case of DNS requests from powershell should be easy enough to identify using an EDR.
Using splunk and stats just look for multiple remote port 53 occurrances from powershell. There will be a few but DNS c2 is noisy so a large limit can be used for filtering.
Next I took a look at DNSCat
https://github.com/lukebaggett/dnscat2-powershell
Interestingly powershell does not make the dns request directly but spawns nslookup to do it. Easy enough to make a signature for that. Again, powershell calling nslookup will occur legitimately, but a large filter for occurrences will filter those out.
index=edr powershell.exe nslookup.exe parent_path=*\\powershell.exe
| stats values(command_line) count by computer_name parent_process_guid
| where count>10
Next I went back to some old Oilrig samples which used DNS C2. Nothing new here, just multiple DNS requests directly from powershell. But I did see something new. The sample used "type" to pass the contents of a text file to powershell. Legitimate occurrences of this in a production environment should be rare.
Easy to sig with just the keywords "cmd.exe", "/c", "|", "type", "powershell".
Example
C:\Windows\System32\cmd.exe /c type C:\Users\Public\Libraries\RecordedTV\example.txt | powershell -exec Bypass -noprofile -
Comments
Post a Comment