33 строки
835 B
YAML
Executable File
33 строки
835 B
YAML
Executable File
id: 6758c671-e9ee-495d-b6b0-92ffd08a8c3b
|
|
name: Google DNS - CVE-2021-40444 exploitation
|
|
description: |
|
|
'Detects CVE-2021-40444 exploitation.'
|
|
severity: High
|
|
requiredDataConnectors:
|
|
- connectorId: GCPDNSDataConnector
|
|
dataTypes:
|
|
- GCPCloudDNS
|
|
queryFrequency: 15m
|
|
queryPeriod: 15m
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- PrivilegeEscalation
|
|
relevantTechniques:
|
|
- T1068
|
|
query: |
|
|
GCPCloudDNS
|
|
| where Query has_any ('hidusi.com', 'dodefoh.com', 'joxinu.com')
|
|
| extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr
|
|
entityMappings:
|
|
- entityType: DNS
|
|
fieldMappings:
|
|
- identifier: DomainName
|
|
columnName: DNSCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|
|
version: 1.0.0
|
|
kind: Scheduled
|