It is always DNS (PowerShell Edition)
For those following along with ATT&CK this entry is about Application Layer Protocol: DNS, Command And Control technique T1071 and PowerShell, Execution technique T1086.
PowerShell calls nslookup.exe to communicate with the server side of DNScat2 and executes commands issued through that shell, we can hunt for this:
index=win10 sourcetype="wineventlog:security" EventCode=4688 Creator_Process_Name=C:\\Windows\\*\\WindowsPowerShell\\*\\powershell.exe| stats count(New_Process_Name) AS Count values(New_Process_Name) AS Processes BY Account_Name Creator_Process_Name
Our results will look like this:
We can look specifically for calls to nslookup by PowerShell and count the events with this SPL:
index=win10 sourcetype="wineventlog:security" EventCode=4688 Creator_Process_Name=C:\\Windows\\*\\WindowsPowerShell\\*\\powershell.exe New_Process_Name=*nslookup.exe| stats count(New_Process_Name) AS Count values(New_Process_Name) AS Processes BY Account_Name Creator_Process_Name
And our results will look something like this, thousands of nslookup.exe processes spawned by PowerShell: