DNS Query to External Service Interaction Domains

calendar Aug 12, 2024 · attack.initial-access attack.t1190 attack.reconnaissance attack.t1595.002  ·
Share on: linkedin copy

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE

Sigma rule (View on GitHub)

 1title: DNS Query to External Service Interaction Domains
 2id: aff715fa-4dd5-497a-8db3-910bea555566
 3status: test
 4description: Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
 5references:
 6    - https://twitter.com/breakersall/status/1533493587828260866
 7author: Florian Roth (Nextron Systems), Matt Kelly (list of domains)
 8date: 2022-06-07
 9tags:
10    - attack.initial-access
11    - attack.t1190
12    - attack.reconnaissance
13    - attack.t1595.002
14logsource:
15    category: dns
16detection:
17    selection:
18        query|contains:
19            - '.interact.sh'
20            - '.oast.pro'
21            - '.oast.live'
22            - '.oast.site'
23            - '.oast.online'
24            - '.oast.fun'
25            - '.oast.me'
26            - '.burpcollaborator.net'
27            - '.oastify.com'
28            - '.canarytokens.com'
29            - '.requestbin.net'
30            - '.dnslog.cn'
31    condition: selection
32falsepositives:
33    - Unknown
34level: high

References

Related rules

to-top