SigmaHQ / sigma

Main Sigma Rule Repository
Other
8.42k stars 2.21k forks source link

DNS Exfiltration rule #4889

Open pramodpabbati opened 5 months ago

pramodpabbati commented 5 months ago

Hello!

Just reviewing the DNS exfiltration rule at - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml and was curious on the detection logic of looking for "Invoke-DNSExfiltrator" OR all of the flags its running with.

Based on the references and the wiki for the tool, it doesn't look like the detection logic is accurate. Could you please confirm?

Kind Regards, Pramod

github-actions[bot] commented 5 months ago

Welcome @pramodpabbati :wave:

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:

nasbench commented 5 months ago

Hi @pramodpabbati and thanks for opening this issue.

After looking at the rule in question, it can indeed be improved. The rule focused on using the same args in the ART example in order to cover potential "renames" of the cmdlets. But as its shown by the source code on 3 flags are mandatory.

      file:           [MANDATORY] The file name to the file to be exfiltrated.
      domainName:     [MANDATORY] The domain name to use for DNS requests.
      password:       [MANDATORY] Password used to encrypt the data to be exfiltrated.

And these alone cannot be used to identify the cmdlets. I will work on this and try to enhance the logic a bit more.