id: 6758c671-e9ee-495d-b6b0-92ffd08a8c3b
name: Google DNS - CVE-2021-40444 exploitation
description: |
  'Detects CVE-2021-40444 exploitation.'
severity: High
requiredDataConnectors:
  - connectorId: GCPDNSDataConnector
    dataTypes:
      - GCPCloudDNS
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - PrivilegeEscalation
relevantTechniques:
  - T1068
query: |
  GCPCloudDNS
  | where Query has_any ('hidusi.com', 'dodefoh.com', 'joxinu.com')
  | extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: DNSCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled