1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", 6 "from": "now-9m", 7 "index": [ 8 "winlogbeat-*", 9 "logs-endpoint.events.*", 10 "logs-windows.*" 11 ], 12 "language": "kuery", 13 "license": "Elastic License v2", 14 "name": "Potential DNS Tunneling via NsLookup", 15 "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n", 16 "references": [ 17 "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" 18 ], 19 "risk_score": 47, 20 "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", 21 "severity": "medium", 22 "tags": [ 23 "Elastic", 24 "Host", 25 "Windows", 26 "Threat Detection", 27 "Command and Control" 28 ], 29 "threat": [ 30 { 31 "framework": "MITRE ATT&CK", 32 "tactic": { 33 "id": "TA0011", 34 "name": "Command and Control", 35 "reference": "https://attack.mitre.org/tactics/TA0011/" 36 }, 37 "technique": [ 38 { 39 "id": "T1071", 40 "name": "Application Layer Protocol", 41 "reference": "https://attack.mitre.org/techniques/T1071/", 42 "subtechnique": [ 43 { 44 "id": "T1071.004", 45 "name": "DNS", 46 "reference": "https://attack.mitre.org/techniques/T1071/004/" 47 } 48 ] 49 } 50 ] 51 } 52 ], 53 "threshold": { 54 "field": [ 55 "host.id" 56 ], 57 "value": 15 58 }, 59 "type": "threshold", 60 "version": 3 61} 62