DNS Request to Suspicious Top Level Domain
This rule detects DNS queries to commonly abused top level domains. Malware authors may use these domains to host command and control infrastructure, exfiltrate data, or to download payloads for later execution.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/07/02"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_version = "9.3.0"
6min_stack_comments = "DNS for Linux support was introduced in 9.3.0"
7updated_date = "2026/07/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects DNS queries to commonly abused top level domains. Malware authors may use these
13domains to host command and control infrastructure, exfiltrate data, or to download payloads
14for later execution.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.network-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "DNS Request to Suspicious Top Level Domain"
21risk_score = 21
22rule_id = "44a2de72-fe41-4558-b7ec-3e42de5f0432"
23severity = "low"
24tags = [
25 "Domain: Endpoint",
26 "Domain: Network",
27 "OS: Linux",
28 "Use Case: Threat Detection",
29 "Tactic: Command and Control",
30 "Tactic: Exfiltration",
31 "Data Source: Elastic Defend",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35query = '''
36network where host.os.type == "linux" and dns.question.name != null and process.name != null and
37dns.question.name like~ (
38 "*.forum", "*.pro", "*.team", "*.lol", "*.kr", "*.ke", "*.nu", "*.space", "*.capital", "*.in", "*.cfd", "*.online",
39 "*.ru", "*.info", "*.top", "*.buzz", "*.xyz", "*.rest", "*.ml", "*.cf", "*.gq", "*.ga", "*.onion", "*.network",
40 "*.monster", "*.marketing", "*.cyou", "*.quest", "*.cc", "*.bar", "*.click", "*.cam", "*.surf", "*.tk", "*.shop",
41 "*.club", "*.icu", "*.pw", "*.ws", "*.fun", "*.life", "*.boats", "*.store", "*.hair", "*.mom",
42 "*.beauty", "*.bond", "*.biz", "*.live", "*.zone"
43)
44'''
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48
49[[rule.threat.technique]]
50id = "T1071"
51name = "Application Layer Protocol"
52reference = "https://attack.mitre.org/techniques/T1071/"
53
54[[rule.threat.technique.subtechnique]]
55id = "T1071.004"
56name = "DNS"
57reference = "https://attack.mitre.org/techniques/T1071/004/"
58
59[[rule.threat.technique]]
60id = "T1090"
61name = "Proxy"
62reference = "https://attack.mitre.org/techniques/T1090/"
63
64[[rule.threat.technique.subtechnique]]
65id = "T1090.002"
66name = "External Proxy"
67reference = "https://attack.mitre.org/techniques/T1090/002/"
68
69[[rule.threat.technique]]
70id = "T1102"
71name = "Web Service"
72reference = "https://attack.mitre.org/techniques/T1102/"
73
74[[rule.threat.technique.subtechnique]]
75id = "T1102.001"
76name = "Dead Drop Resolver"
77reference = "https://attack.mitre.org/techniques/T1102/001/"
78
79[[rule.threat.technique.subtechnique]]
80id = "T1102.002"
81name = "Bidirectional Communication"
82reference = "https://attack.mitre.org/techniques/T1102/002/"
83
84[[rule.threat.technique]]
85id = "T1568"
86name = "Dynamic Resolution"
87reference = "https://attack.mitre.org/techniques/T1568/"
88
89[[rule.threat.technique.subtechnique]]
90id = "T1568.002"
91name = "Domain Generation Algorithms"
92reference = "https://attack.mitre.org/techniques/T1568/002/"
93
94[rule.threat.tactic]
95id = "TA0011"
96name = "Command and Control"
97reference = "https://attack.mitre.org/tactics/TA0011/"
98
99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102[[rule.threat.technique]]
103id = "T1567"
104name = "Exfiltration Over Web Service"
105reference = "https://attack.mitre.org/techniques/T1567/"
106
107[[rule.threat.technique.subtechnique]]
108id = "T1567.001"
109name = "Exfiltration to Code Repository"
110reference = "https://attack.mitre.org/techniques/T1567/001/"
111
112[[rule.threat.technique.subtechnique]]
113id = "T1567.002"
114name = "Exfiltration to Cloud Storage"
115reference = "https://attack.mitre.org/techniques/T1567/002/"
116
117[[rule.threat.technique.subtechnique]]
118id = "T1567.003"
119name = "Exfiltration to Text Storage Sites"
120reference = "https://attack.mitre.org/techniques/T1567/003/"
121
122[rule.threat.tactic]
123id = "TA0010"
124name = "Exfiltration"
125reference = "https://attack.mitre.org/tactics/TA0010/"
Related rules
- Suricata and Elastic Defend Network Correlation
- Curl or Wget Egress Network Connection via LoLBin
- Payload Downloaded by Interpreter and Piped to Interpreter
- Shell Execution via Elastic Endpoint
- Network Connection Followed by File Creation