Back to Rule

Rule History

SID: 3321447 • Source: pawpatrules

Versions (5)

Rev: 8
Sep 25, 2025, 9:37 PM
Current
Rev: 7
Jun 20, 2025, 9:34 AM
Archived
Rev: 6
Jun 2, 2025, 10:19 PM
Archived
Rev: 5
Jun 2, 2025, 5:18 AM
Archived
Rev: 1
May 31, 2025, 3:51 PM
Archived

Version Details

Rev: 7May 31, 2025, 12:00 PM

🐾 - 🔔 Potential DNS Exfiltration 🥷 - T1048

alert dns any any -> any any (msg:"🐾 - 🔔 Potential DNS Exfiltration 🥷 - T1048"; dns_query; flow:to_server, stateless; threshold:type threshold, track by_src, count 10, seconds 30; content:"."; pcre:"/^(?=[a-zA-Z0-9+=]{15,})(?![a-zA-Z0-9+=-]*-)[a-zA-Z0-9+=]{15,}.[a-zA-Z0-9.]{1,}.[a-zA-Z]{2,7}$/"; content:!".googleapis.com"; content:!".azureedge.net"; content:!".office.com"; content:!".azure.com"; endswith; reference:url,https://attack.mitre.org/techniques/T1048/; metadata:created_at 2025_05_31, updated_at 2025_06_20, signature_severity Major, attack_target Client_and_Server, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1048, mitre_technique_name Exfiltration_Over_Alternative_Protocol; sid:3321447; rev:7; classtype:trojan-activity;)

May 31, 2025, 12:00 PM

Jun 20, 2025, 12:00 PM

May 31, 2025, 3:51 PM

Jun 20, 2025, 9:34 AM

Sep 25, 2025, 9:37 PM

PAW-PATRULES_LATERAL_MOVEMENT.rules