DNS Query To Common Malware Hosting and Shortener Services
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect via URL shorteners.
Severity
Attention
Rule Requirement
Criteria
Action1:
actionname = "DNS Query Executed" AND ( QUERY contains "msapp.workers.dev,trycloudflare.com,infinityfreeapp.com,my5353.com,reurl.cc,lihi.cc,tinyurl.com" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.QUERY,Action1.STATUSCODE,Action1.RESULT
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Ahmed Nosir (@egycondor)


