dns_query

Suspicious DNS Query for IP Lookup Service APIs

Dec 1, 2023 · attack.reconnaissance attack.t1590 ·

Share on:

Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.

DNS Query for Anonfiles.com Domain - Sysmon

Dec 1, 2023 · attack.exfiltration attack.t1567.002 ·

Share on:

Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes

DNS Query To Devtunnels Domain

Nov 20, 2023 · attack.command_and_control attack.t1071.001 ·

Share on:

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

DNS Query To Visual Studio Code Tunnels Domain

Nov 20, 2023 · attack.command_and_control attack.t1071.001 ·

Share on:

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

AppX Package Installation Attempts Via AppInstaller.EXE

Nov 14, 2023 · attack.command_and_control attack.t1105 ·

Share on:

Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

DNS Query To Remote Access Software Domain From Non-Browser App

Oct 18, 2023 · attack.command_and_control attack.t1219 ·

Share on:

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

DNS Query Request By Regsvr32.EXE

Oct 4, 2023 · attack.execution attack.t1559.001 attack.defense_evasion attack.t1218.010 ·

Share on:

Detects DNS queries initiated by "Regsvr32.exe"

DNS Query To MEGA Hosting Website

Oct 4, 2023 · attack.exfiltration attack.t1567.002 ·

Share on:

Detects DNS queries for subdomains related to MEGA sharing website

DNS Query To Ufile.io

Oct 4, 2023 · attack.exfiltration attack.t1567.002 ·

Share on:

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

DNS Query Tor .Onion Address - Sysmon

Oct 4, 2023 · attack.command_and_control attack.t1090.003 ·

Share on:

Detects DNS queries to an ".onion" address related to Tor routing networks

DNS Server Discovery Via LDAP Query

Oct 4, 2023 · attack.discovery attack.t1482 ·

Share on:

Detects DNS server discovery via LDAP query requests from uncommon applications

TeamViewer Domain Query By Non-TeamViewer Application

Oct 4, 2023 · attack.command_and_control attack.t1219 ·

Share on:

Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)

Suspicious Cobalt Strike DNS Beaconing - Sysmon

Feb 1, 2023 · attack.command_and_control attack.t1071.004 ·

Share on:

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

DNS HybridConnectionManager Service Bus

Jan 17, 2023 · attack.persistence attack.t1554 ·

Share on:

Detects Azure Hybrid Connection Manager services querying the Azure service bus service