Versions (5)
Version DetailsCurrent
Rev: 8 • May 31, 2025, 12:00 PM🐾 - 🔔 Potential DNS Exfiltration 🥷 - T1048
alert dns any any -> any any (msg:"🐾 - 🔔 Potential DNS Exfiltration 🥷 - T1048"; dns_query; flow:to_server, stateless; threshold:type threshold, track by_src, count 10, seconds 30; content:"."; pcre:"/^(?=[a-zA-Z0-9+=]{15,})(?![a-zA-Z0-9+=-]*-)[a-zA-Z0-9+=]{15,}.[a-zA-Z0-9.]{1,}.[a-zA-Z]{2,7}$/"; content:!".googleapis.com"; endswith; content:!".azureedge.net"; endswith; content:!".office.com"; endswith; content:!".azure.com"; endswith; content:!".sentry.io"; endswith; reference:url,https://attack.mitre.org/techniques/T1048/; metadata:created_at 2025_05_31, updated_at 2025_09_25, signature_severity Major, attack_target Client_and_Server, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1048, mitre_technique_name Exfiltration_Over_Alternative_Protocol; sid:3321447; rev:8; classtype:trojan-activity;)
May 31, 2025, 12:00 PM
Sep 25, 2025, 12:00 PM
May 31, 2025, 3:51 PM
Sep 25, 2025, 9:37 PM
rules/PAW-PATRULES_LATERAL_MOVEMENT.rules