Detection rules › YARA-L
IOC Domain C2
Detect DNS events that indicate communication to a C2 domain in MISP
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 22 | DNSEvent (DNS query) |
Rule body yaral
/*
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule ioc_domain_C2 {
meta:
author = "Google Cloud Security"
description = "Detect DNS events that indicate communication to a C2 domain in MISP"
rule_id = "mr_cb22c45e-b29d-487f-9cf5-1310bfed6d6c"
rule_name = "IOC Domain C2"
type = "alert"
tags = "threat indicators"
assumption = "Assumes MISP data has been ingested into entity graph; this rule can be modified to utilize other TI indicators"
data_source = "microsoft sysmon"
severity = "High"
priority = "High"
events:
$dns.metadata.event_type = "NETWORK_DNS"
$dns.network.dns.questions.name = $dns_query
// Correlates with MISP data; can be modified based on your MISP parser or other TI
$ioc.graph.metadata.product_name = "MISP"
$ioc.graph.metadata.entity_type = "DOMAIN_NAME"
$ioc.graph.metadata.source_type = "ENTITY_CONTEXT"
//Summary is used to focus on a specific subset of MISP indicators, can modify as needed
$ioc.graph.metadata.threat.summary = "C2 domains"
$ioc.graph.entity.hostname = $dns_query
match:
$dns_query over 5m
outcome:
$risk_score = 85
$event_count = count_distinct($dns.metadata.id)
$network_dns_questions_name = array_distinct($dns.network.dns.questions.name)
$network_dns_answers_data = array_distinct($dns.network.dns.answers.data)
// added to populate alert graph with additional context
$principal_ip = array_distinct($dns.principal.ip)
$target_ip = array_distinct($dns.target.ip)
$principal_process_pid = array_distinct($dns.principal.process.pid)
$principal_process_file_full_path = array_distinct($dns.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($dns.principal.process.product_specific_process_id)
$principal_user_userid = array_distinct($dns.principal.user.userid)
$principal_process_command_line = array_distinct($dns.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($dns.principal.process.file.sha256)
$principal_process_parent_process_product_specific_process_id = array_distinct($dns.principal.process.parent_process.product_specific_process_id)
condition:
$dns and $ioc
}
Detection logic
Fires when at least one $dns event in the 5m window and $ioc matches entity context.
Events
$dns
$ioc
graph.metadata.product_name = "MISP"graph.metadata.entity_type = "DOMAIN_NAME"graph.metadata.source_type = "ENTITY_CONTEXT"graph.metadata.threat.summary = "C2 domains"
Correlation
Outcome
Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.
| Field | Expression |
|---|---|
risk_score | 85 |
event_count | count_distinct($dns.metadata.id) |
network_dns_questions_name | array_distinct($dns.network.dns.questions.name) |
network_dns_answers_data | array_distinct($dns.network.dns.answers.data) |
principal_ip | array_distinct($dns.principal.ip) |
target_ip | array_distinct($dns.target.ip) |
principal_process_pid | array_distinct($dns.principal.process.pid) |
principal_process_file_full_path | array_distinct($dns.principal.process.file.full_path) |
principal_process_product_specific_process_id | array_distinct($dns.principal.process.product_specific_process_id) |
principal_user_userid | array_distinct($dns.principal.user.userid) |
principal_process_command_line | array_distinct($dns.principal.process.command_line) |
principal_process_file_sha256 | array_distinct($dns.principal.process.file.sha256) |
principal_process_parent_process_product_specific_process_id | array_distinct($dns.principal.process.parent_process.product_specific_process_id) |