Non-browser processes making DNS requests to Dynamic DNS Providers¶
Identifies non-browser processes making DNS requests to Dynamic DNS Providers used by GAMAREDON GROUP.
id: | de828f75-33bb-41ab-bc52-92dc2e0ef58b |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 02/12/2020 |
updated: | 02/12/2020 |
MITRE ATT&CK™ Mapping¶
tactics: | Command and Control |
---|---|
techniques: | T1071 Standard Application Layer Protocol |
Query¶
dns where wildcard(query_name, "*.ddns.net", "*.hopto.org", "*.bounceme.net") and
process_name not in ("chrome.exe","iexplore.exe", "firefox.exe")
| unique unique_pid