Large domain name request

calendar Apr 21, 2023 · attack.exfiltration attack.t1048  ·
Share on: linkedin copy

Detects large DNS domain names

Sigma rule (View on GitHub)

 1title: Large domain name request
 2id: 14aa0d9e-c70a-4a49-bdc1-e5cbc4fc6af7
 3description: Detects large DNS domain names
 4author: Daniil Yugoslavskiy, oscd.community
 5date: 2019/10/21
 6modified: 2019/11/04
 7tags:
 8    - attack.exfiltration
 9    - attack.t1048
10logsource:
11    category: dns
12detection:
13    selection:
14        query_length: "> 70"              # IS MORE THAN 70 bytes
15    default_list_of_well_known_domains:
16        query_etld_plus_one:
17            - "akadns.net"
18            - "akamaiedge.net"
19            - "amazonaws.com"
20            - "apple.com"
21            - "apple-dns.net"
22            - "cloudfront.net"
23            - "icloud.com"
24            - "in-addr.arpa"
25            - "google.com"
26            - "yahoo.com"
27            - "dropbox.com"
28            - "windowsupdate.com"
29            - "microsoftonline.com"
30            - "s-microsoft.com"
31            - "office365.com"
32            - "linkedin.com"
33    condition: selection and not default_list_of_well_known_domains
34falsepositives:
35    - Legitimate domain name requested, which should be added to whitelist
36level: high
37status: unsupported```

Related rules

to-top