Ioc1.ic1 🎯 Premium

title: Suspicious DNS Request to IOC1.IC1 status: experimental logsource: product: windows service: dns-client detection: selection: QueryName|contains: 'ioc1.ic1' condition: selection (for malware config extraction):

index=dns query="ioc1.ic1" | stats count by src_ip, query_type, response (for SIEM): ioc1.ic1

rule IOC1_IC1_Config strings: $c2 = "ioc1.ic1" ascii wide nocase condition: $c2 title: Suspicious DNS Request to IOC1