IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Machine Learning Detected DGA activity using a known SUNBURST DNS domain
editMachine Learning Detected DGA activity using a known SUNBURST DNS domain
editA supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm.
Rule type: query
Rule indices:
- logs-endpoint.events.*
- logs-network_traffic.*
Severity: critical
Risk score: 99
Runs every: 5m
Searches indices from: now-10m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Network
- Domain: Endpoint
- Data Source: Elastic Defend
- Use Case: Domain Generation Algorithm Detection
- Rule Type: ML
- Rule Type: Machine Learning
- Tactic: Command and Control
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Dynamic Resolution
- ID: T1568
- Reference URL: https://attack.mitre.org/techniques/T1568/
-
Sub-technique:
- Name: Domain Generation Algorithms
- ID: T1568.002
- Reference URL: https://attack.mitre.org/techniques/T1568/002/