DNS Query To AzureWebsitesNET By Non-Browser Process

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "DNS Query Executed" AND (QUERY endswith "azurewebsites.net" AND PROCESSNAME notendswith "chrome.exe,firefox.exe,iexplore.exe,MicrosoftEdge.exe,msedge.exe,msedgewebview2.exe,safari.exe" AND PROCESSNAME notendswith "MsMpEng.exe,MsSense.exe,brave.exe,maxthon.exe,opera.exe,seamonkey.exe,vivaldi.exe,whale.exe" AND PROCESSNAME notendswith "Waterfox.exe,Midori Next Generation.exe,slimbrowser.exe,Flock.exe,Phoebe.exe,falkon.exe,avant.exe") select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.QUERY,Action1.STATUSCODE,Action1.RESULT

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Nasreddine Bencherchali (Nextron Systems)