Suspicious DNS Lookup and Execution Pattern

Rule Info

Name
Suspicious DNS Lookup and Execution Pattern
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious command line patterns involving 'nslookup' piped to 'findstr' with a subsequent 'for' loop, which may indicate an attempt to query DNS for second-stage payloads and execute them. This technique can be used by adversaries to leverage DNS as a covert command and control channel, allowing them to retrieve and execute malicious payloads without directly connecting to an external server.
Reference
https://x.com/MsftSecIntel/status/2022456612120629742
Date
2026-03-16 00:00:00
Modified
None
Id
2cd058f1-9733-452e-a869-c5f09630227e
Tags
attack.command-and-control attack.execution attack.t1059 attack.t1071.004
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022