Threat Hunting Rules: Possible C2 Connection via DoH

It’s been a year since the first malware timidly exploited DNS-over-HTTPS (DoH) to retrieve the IPs for the command-and-control infrastructure. Security researchers had already warned that this could be a serious problem and started to look for a solution that would help detect such malicious traffic. More and more malware has been switching to DoH traffic because this protocol can be used by Chrome and Opera, and Mozilla has already enabled this feature by default for US users.

And now it is known that the Iranian APT group uses this protocol in cyber espionage campaigns since May 2020. Oilrig group (aka APT34 or Helix Kitten) operates for about six years and security researchers are regularly finding new tools related to this APT group. In recent attacks, they used a new tool dubbed DNSExfiltrator during intrusions into compromised networks. The tool can transfer data between two points using DNS-over-HTTPS protocol and Oilrig uses it to move data laterally across internal networks and then exfiltrate it to an outside point. 

New exclusive Sigma rule developed by Roman Ranskyi enables security solutions to uncover possible C2 connection via DoH protocol:


The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint

NTA: Corelight



Tactics: Command and Control

Techniques: Commonly Used Port (T1043), Standard Application Layer Protocol (T1071)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts