DNS Query to External Service Interaction Domains

 1title: DNS Query to External Service Interaction Domains
 2id: aff715fa-4dd5-497a-8db3-910bea555566
 3status: test
 4description: |
 5        Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
 6references:
 7    - https://twitter.com/breakersall/status/1533493587828260866
 8    - https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287
 9    - https://github.com/SigmaHQ/sigma/pull/5724#issuecomment-3466382234
10author: Florian Roth (Nextron Systems), Matt Kelly (list of domains)
11date: 2022-06-07
12modified: 2026-01-24
13tags:
14    - attack.initial-access
15    - attack.t1190
16    - attack.reconnaissance
17    - attack.t1595.002
18logsource:
19    category: dns
20detection:
21    selection:
22        query|endswith:
23            - '.burpcollaborator.net' # Portswigger Burpsuite Collaborator
24            - '.canarytokens.com' # Thinkst Canary Canarytokens
25            - '.ceye.io'
26            - '.ddns.1443.eu.org' # dig.pm
27            - '.ddns.bypass.eu.org' # dig.pm
28            - '.ddns.xn--gg8h.eu.org' # dig.pm
29            - '.digimg.store' # dnslog.ink
30            - '.dns.su18.org' # javaweb.org
31            - '.dnshook.site' # webhook.site
32            - '.dnslog.cn'
33            - '.dnslog.ink' # dnslog.ink
34            - '.instances.httpworkbench.com' # httpworkbench.com
35            - '.interact.sh' # Project Discovery Interactsh
36            - '.log.dnslog.pp.ua' # dnslog.org
37            - '.log.dnslog.qzz.io' # dnslog.org
38            - '.log.dnslogs.dpdns.org' # dnslog.org
39            - '.log.javaweb.org' # javaweb.org
40            - '.log.nat.cloudns.ph' # dnslog.org
41            - '.oast.fun' # Project Discovery Interactsh
42            - '.oast.live' # Project Discovery Interactsh
43            - '.oast.me' # Project Discovery Interactsh
44            - '.oast.online' # Project Discovery Interactsh
45            - '.oast.pro' # Project Discovery Interactsh
46            - '.oast.site' # Project Discovery Interactsh
47            - '.oastify.com' # Portswigger Burpsuite Collaborator
48            - '.p8.lol' # javaweb.org
49            - '.requestbin.net'
50    filter_main_polling:
51        query|contains: 'polling.oastify.com'
52    condition: selection and not 1 of filter_main_*
53falsepositives:
54    - Legitimate security scanning.
55level: high

References

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

• Technical Advisory: Critical Unauthenticated RCE in Windows Server Update Services (WSUS) - CVE-2025-59287

  

  TL;DR Our telemetry indicates an active exploitation campaign targeting vulnerable Windows Server Update Services (WSUS) systems via CVE-2025-59287 (CVSS 9.

  
  Read More

• Update: DNS Query to External Service Interaction Domains - additional domains and filter by darses · Pull Request #5724 · SigmaHQ/sigma

  

  Summary of the Pull Request Add dig.pm, ceye.io and dnshooks.site domains Exclude polling domain oastify Mention legitimate security tooling as false positive Add modified date Changelog Update...

  
  Read More

Related rules

• Linux Suspicious Child Process from Node.js - React2Shell
• Windows Suspicious Child Process from Node.js - React2Shell
• CVE-2020-0688 Exchange Exploitation via Web Log
• CVE-2020-5902 F5 BIG-IP Exploitation Attempt
• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit