Non-browser processes making DNS requests to Dynamic DNS Providers

Identifies non-browser processes making DNS requests to Dynamic DNS Providers used by GAMAREDON GROUP.

id:de828f75-33bb-41ab-bc52-92dc2e0ef58b categories:detect confidence:low os:windows created:02/12/2020 updated:02/12/2020

MITRE ATT&CK™ Mapping

tactics:Command and Control techniques:T1071 Standard Application Layer Protocol

Query

dns where wildcard(query_name, "*.ddns.net", "*.hopto.org", "*.bounceme.net") and
  process_name not in ("chrome.exe","iexplore.exe", "firefox.exe")
| unique unique_pid

Contributors

• Daniel Stepanic

References

• https://www.elastic.co/blog/playing-defense-against-gamaredon-group