DNS Request to Suspicious Top Level Domain

This rule detects DNS queries to commonly abused top level domains. Malware authors may use these domains to host command and control infrastructure, exfiltrate data, or to download payloads for later execution.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/07/02"
  3integration = ["endpoint"]
  4maturity = "production"
  5min_stack_version = "9.3.0"
  6min_stack_comments = "DNS for Linux support was introduced in 9.3.0"
  7updated_date = "2026/07/02"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects DNS queries to commonly abused top level domains. Malware authors may use these
 13domains to host command and control infrastructure, exfiltrate data, or to download payloads
 14for later execution.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.network-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "DNS Request to Suspicious Top Level Domain"
 21risk_score = 21
 22rule_id = "44a2de72-fe41-4558-b7ec-3e42de5f0432"
 23severity = "low"
 24tags = [
 25    "Domain: Endpoint",
 26    "Domain: Network",
 27    "OS: Linux",
 28    "Use Case: Threat Detection",
 29    "Tactic: Command and Control",
 30    "Tactic: Exfiltration",
 31    "Data Source: Elastic Defend",
 32]
 33timestamp_override = "event.ingested"
 34type = "eql"
 35query = '''
 36network where host.os.type == "linux" and dns.question.name != null and process.name != null and
 37dns.question.name like~ (
 38  "*.forum", "*.pro", "*.team", "*.lol", "*.kr", "*.ke", "*.nu", "*.space", "*.capital", "*.in", "*.cfd", "*.online",
 39  "*.ru", "*.info", "*.top", "*.buzz", "*.xyz", "*.rest", "*.ml", "*.cf", "*.gq", "*.ga", "*.onion", "*.network",
 40  "*.monster", "*.marketing", "*.cyou", "*.quest", "*.cc", "*.bar", "*.click", "*.cam", "*.surf", "*.tk", "*.shop",
 41  "*.club", "*.icu", "*.pw", "*.ws", "*.fun", "*.life", "*.boats", "*.store", "*.hair", "*.mom",
 42  "*.beauty", "*.bond", "*.biz", "*.live", "*.zone"
 43)
 44'''
 45
 46[[rule.threat]]
 47framework = "MITRE ATT&CK"
 48
 49[[rule.threat.technique]]
 50id = "T1071"
 51name = "Application Layer Protocol"
 52reference = "https://attack.mitre.org/techniques/T1071/"
 53
 54[[rule.threat.technique.subtechnique]]
 55id = "T1071.004"
 56name = "DNS"
 57reference = "https://attack.mitre.org/techniques/T1071/004/"
 58
 59[[rule.threat.technique]]
 60id = "T1090"
 61name = "Proxy"
 62reference = "https://attack.mitre.org/techniques/T1090/"
 63
 64[[rule.threat.technique.subtechnique]]
 65id = "T1090.002"
 66name = "External Proxy"
 67reference = "https://attack.mitre.org/techniques/T1090/002/"
 68
 69[[rule.threat.technique]]
 70id = "T1102"
 71name = "Web Service"
 72reference = "https://attack.mitre.org/techniques/T1102/"
 73
 74[[rule.threat.technique.subtechnique]]
 75id = "T1102.001"
 76name = "Dead Drop Resolver"
 77reference = "https://attack.mitre.org/techniques/T1102/001/"
 78
 79[[rule.threat.technique.subtechnique]]
 80id = "T1102.002"
 81name = "Bidirectional Communication"
 82reference = "https://attack.mitre.org/techniques/T1102/002/"
 83
 84[[rule.threat.technique]]
 85id = "T1568"
 86name = "Dynamic Resolution"
 87reference = "https://attack.mitre.org/techniques/T1568/"
 88
 89[[rule.threat.technique.subtechnique]]
 90id = "T1568.002"
 91name = "Domain Generation Algorithms"
 92reference = "https://attack.mitre.org/techniques/T1568/002/"
 93
 94[rule.threat.tactic]
 95id = "TA0011"
 96name = "Command and Control"
 97reference = "https://attack.mitre.org/tactics/TA0011/"
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102[[rule.threat.technique]]
103id = "T1567"
104name = "Exfiltration Over Web Service"
105reference = "https://attack.mitre.org/techniques/T1567/"
106
107[[rule.threat.technique.subtechnique]]
108id = "T1567.001"
109name = "Exfiltration to Code Repository"
110reference = "https://attack.mitre.org/techniques/T1567/001/"
111
112[[rule.threat.technique.subtechnique]]
113id = "T1567.002"
114name = "Exfiltration to Cloud Storage"
115reference = "https://attack.mitre.org/techniques/T1567/002/"
116
117[[rule.threat.technique.subtechnique]]
118id = "T1567.003"
119name = "Exfiltration to Text Storage Sites"
120reference = "https://attack.mitre.org/techniques/T1567/003/"
121
122[rule.threat.tactic]
123id = "TA0010"
124name = "Exfiltration"
125reference = "https://attack.mitre.org/tactics/TA0010/"

Related rules

to-top