DNS Query to External Service Interaction Domains

 1title: DNS Query to External Service Interaction Domains
 2id: aff715fa-4dd5-497a-8db3-910bea555566
 3status: test
 4description: |
 5        Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
 6references:
 7    - https://twitter.com/breakersall/status/1533493587828260866
 8    - https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287
 9    - https://github.com/SigmaHQ/sigma/pull/5724#issuecomment-3466382234
10author: Florian Roth (Nextron Systems), Matt Kelly (list of domains)
11date: 2022-06-07
12modified: 2025-11-22
13tags:
14    - attack.initial-access
15    - attack.t1190
16    - attack.reconnaissance
17    - attack.t1595.002
18logsource:
19    category: dns
20detection:
21    selection:
22        query|contains:
23            - '.burpcollaborator.net'
24            - '.canarytokens.com'
25            - '.ceye.io'
26            - '.ddns.1443.eu.org' # dig.pm
27            - '.ddns.bypass.eu.org' # dig.pm
28            - '.ddns.xn--gg8h.eu.org' # dig.pm
29            - '.dns.su18.org' # javaweb.org
30            - '.dnshook.site' # webhook.site
31            - '.dnslog.cn'
32            - '.dnslog.ink' # dnslog.ink
33            - '.interact.sh'
34            - '.log.dnslog.pp.ua' # dnslog.org
35            - '.log.dnslog.qzz.io' # dnslog.org
36            - '.log.dnslogs.dpdns.org' # dnslog.org
37            - '.log.javaweb.org' # javaweb.org
38            - '.log.nat.cloudns.ph' # dnslog.org
39            - '.oast.fun'
40            - '.oast.live'
41            - '.oast.me'
42            - '.oast.online'
43            - '.oast.pro'
44            - '.oast.site'
45            - '.oastify.com'
46            - '.p8.lol' # javaweb.org
47            - '.requestbin.net'
48    filter_main_polling:
49        query|contains: 'polling.oastify.com'
50    condition: selection and not 1 of filter_main_*
51falsepositives:
52    - Legitimate security scanning.
53level: high

References

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

• Technical Advisory: Critical Unauthenticated RCE in Windows Server Update Services (WSUS) - CVE-2025-59287

  

  TL;DR Our telemetry indicates an active exploitation campaign targeting vulnerable Windows Server Update Services (WSUS) systems via CVE-2025-59287 (CVSS 9.

  
  Read More

• Update: DNS Query to External Service Interaction Domains - additional domains and filter by darses · Pull Request #5724 · SigmaHQ/sigma

  

  Summary of the Pull Request Add dig.pm, ceye.io and dnshooks.site domains Exclude polling domain oastify Mention legitimate security tooling as false positive Add modified date Changelog Update...

  
  Read More

Related rules

• CVE-2020-0688 Exchange Exploitation via Web Log
• CVE-2020-5902 F5 BIG-IP Exploitation Attempt
• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
• Cisco ASA FTD Exploit CVE-2020-3452
• Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195