DNS Exfiltration rule

[pramodpabbati]

Hello!

Just reviewing the DNS exfiltration rule at - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml and was curious on the detection logic of looking for "Invoke-DNSExfiltrator" OR all of the flags its running with.

Based on the references and the wiki for the tool, it doesn't look like the detection logic is accurate. Could you please confirm?

Kind Regards,
Pramod

[github-actions]

Welcome @pramodpabbati 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

[nasbench]

Hi @pramodpabbati and thanks for opening this issue.

After looking at the rule in question, it can indeed be improved. The rule focused on using the same args in the ART example in order to cover potential "renames" of the cmdlets. But as its shown by the source code on 3 flags are mandatory.

      file:           [MANDATORY] The file name to the file to be exfiltrated.
      domainName:     [MANDATORY] The domain name to use for DNS requests.
      password:       [MANDATORY] Password used to encrypt the data to be exfiltrated.

And these alone cannot be used to identify the cmdlets. I will work on this and try to enhance the logic a bit more.

[kets99]

hi @nasbench @pramodpabbati

could we use 'Invoke-DNSExfiltrator' AND the 3 mandatory flags for identification?

here's the rule:

detection:
  selection_name:
    ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
  selection_flags:
    ScriptBlockText|contains|all:
      - ' -i '
      - ' -d '
      - ' -p '
  condition: selection_name and selection_flags

please let me know if this can be improved upon further.

[toheeb-orelope]

Hi @nasbench,

I've opened a PR improving the detection logic for Invoke-DNSExfiltrator, incorporating the mandatory parameters (-i, -d, -p) together with the function name.
The updated rule passes sigma check with zero issues.

PR: #5801

Thanks!