Suspicious DNS Exfiltration via Command Line

Rule Info

Name
Suspicious DNS Exfiltration via Command Line
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential data exfiltration using DNS lookups with encoded data, typically used by malicious scripts. This technique may involve encoding data (e.g., using xxd) and sending it via DNS queries (e.g., using nslookup).
Reference
https://www.virustotal.com/gui/file/54d3ae099dcf1a18855f809a9f22ff2d1a802dafec22dcdae098e5878faba9cc/
Date
2025-11-21 00:00:00
Modified
None
Id
9bbb442c-1714-4a2d-9c6f-2e7ef3915965
Tags
attack.exfiltration attack.t1041 attack.t1048.003
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022