DNS Query to Wildcard DNS Services#5915
Conversation
github-actions
Bot
added
Rules
Review Needed
Mahir-Ali-khan
left a comment
Mahir-Ali-khan
left a comment
There was a problem hiding this comment.
net_dns_wildcard_dns_service
Mahir-Ali-khan
left a comment
Mahir-Ali-khan
left a comment
There was a problem hiding this comment.
removed duplicate tag
|
hello team, did we got time to check this Sigma |
There was a problem hiding this comment.
Hi @Mahir-Ali-khan,
Thanks for the contribution. Before we can proceed with the review, there are a few things that need to be addressed:
-
win_BCP_utility_execution.yml - Please remove this. It's a duplicate of the existing rule Data Export From MSSQL Table Via BCP.EXE (
c615d676-f655-46b9-b913-78729021e5d7). -
dns_query_win_dnslog_pw.yml - Instead of a new rule, it might sense to add these domains to the existing DNS Query to External Service Interaction Domains rule (
aff715fa-4dd5-497a-8db3-910bea555566). Remove both copies of the new file (you have a duplicate underrules/windows/rules/as well). -
net_dns_wildcard_dns_service.yml - This one has potential, but it has multiple convention issues (title, tag casing, date format, field names, etc.). Please study existing rules in the repo, especially similar DNS rules like net_dns_external_service_interaction_domains.yml - and follow their structure closely. Also review the SigmaHQ conventions (filename, title, and rule conventions) to align your rule with the expected format.
-
Make sure all pipelines are green before requesting review.
Please address all of these issues. We are happy to re-review once the updates are in.
swachchhanda000
added
Work In Progress
Mahir-Ali-khan
left a comment
Mahir-Ali-khan
left a comment
There was a problem hiding this comment.
deleted rule
|
necessary changes made kindly check once |
Mahir-Ali-khan
left a comment
Mahir-Ali-khan
left a comment
There was a problem hiding this comment.
changes made
swachchhanda000
removed
Work In Progress
swachchhanda000
changed the title
There was a problem hiding this comment.
Why do we have changes to this file? Should be reverted.
There was a problem hiding this comment.
this is also not resolved. If you want this PR merged you have to engage in the review. Let the reviewer decide if an issues is resolved or not. If something is unclear or you need assistance, please ask.
There was a problem hiding this comment.
this should also be reverted
|
Hello, When this will get merge |
Detects the execution of the bcp utility with 'queryout' or 'out' options in Windows Security Event Log (Event ID 4688). This rule is useful for identifying potential misuse of data copy between an SQL instance to a file
…n_SET-command-abuse.yml
This sigma rule is created to detect the abuse of domain service, when queried with a hostname with an embedded IP address, returns that IP address Detects DNS queries to public wildcard DNS services that resolve subdomains to IP addresses. These services can be abused by attackers for command and control, tunneling, phishing.
changed the title of this sigma
…execution.yml removed duplicate sigma
deleted sigma rule
changes made
Whenever we feel like it :) |
|
Hello, Is there anything required from me ? |
…heatmap Update ATT&CK Heatmap Coverage
…ce-archiver Archive New Rule References
4 participants
Summary of the Pull Request
This sigma rule is created to detect the abuse of domain service, when queried with a hostname with an embedded IP address, returns that IP address
Detects DNS queries to public wildcard DNS services that resolve subdomains to IP addresses. These services can be abused by attackers for command and control, tunneling, phishing.
Changelog
new: DNS Query to Wildcard DNS Services - Network
new: DNS Query to Wildcard DNS Services - Windows
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions