Detection rules › Splunk
Suspicious Process DNS Query Known Abuse Web Services
The following analytic detects a suspicious process making DNS queries to known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms. It leverages Sysmon EventID 22 logs to identify queries from processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate an attempt to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.005 Command and Scripting Interpreter: Visual Basic |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: search
search (Image IN ("*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*", "*\\programdata\\*", "*\\temp\\*", "*\\users\\public\\*") OR process_name IN ("*powershell*", "cmd.exe", "cscript.exe", "pwsh.exe", "wscript.exe")) EventCode=22 QueryName IN ("*api.telegram*", "*discord*", "*pastebin*", "*t.me*")
Stage 2: stats
stats BY answer, answer_count, dvc, process_exec, process_guid, process_name, query, query_count, reply_code_id, signature, signature_id, src, user_id, vendor_product, QueryName, QueryResults, QueryStatus
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Image | in |
|
QueryName | in |
|
process_name | in |
|