Ioc1.ic1 «2024»

rule IOC1_IC1_Config strings: $c2 = "ioc1.ic1" ascii wide nocase condition: $c2

index=dns query="ioc1.ic1" | stats count by src_ip, query_type, response (for SIEM): ioc1.ic1

title: Suspicious DNS Request to IOC1.IC1 status: experimental logsource: product: windows service: dns-client detection: selection: QueryName|contains: 'ioc1.ic1' condition: selection (for malware config extraction): rule IOC1_IC1_Config strings: $c2 = "ioc1