DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
Sigma rule (View on GitHub)
1title: DNS Query To Common Malware Hosting and Shortener Services
2id: f8c1e80b-c73a-476a-ae24-6c72528b1521
3status: experimental
4description: |
5 Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.
6 These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.
7 Such DNS activity can indicate potential delivery or command-and-control communication attempts.
8references:
9 - https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
10author: Ahmed Nosir (@egycondor)
11date: 2025-06-02
12tags:
13 - attack.command-and-control
14 - attack.t1071.004
15logsource:
16 product: windows
17 category: dns_query
18detection:
19 selection:
20 QueryName|contains:
21 - 'msapp.workers.dev'
22 - 'trycloudflare.com'
23 - 'infinityfreeapp.com'
24 - 'my5353.com'
25 - 'reurl.cc'
26 - 'lihi.cc'
27 - 'tinyurl.com'
28 condition: selection
29falsepositives:
30 - Legitimate use of these services is possible but rare in enterprise environments
31level: medium
References
-
Disrupting Attackers to Protect Google, Our Users, and Our Customers GTIG’s goal is not just to monitor threats, but to counter and disrupt them. At Google, we aim to protect our users and customer...
Read More
Related rules
- DNS Query To Katz Stealer Domains
- DNS Query To Katz Stealer Domains - Network
- Cobalt Strike DNS Beaconing
- DNS Exfiltration and Tunneling Tools Execution
- DNS TXT Answer with Possible Execution Strings