DNS Query To Common Malware Hosting and Shortener Services

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect via URL shorteners.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "DNS Query Executed" AND ( QUERY contains "msapp.workers.dev,trycloudflare.com,infinityfreeapp.com,my5353.com,reurl.cc,lihi.cc,tinyurl.com" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.QUERY,Action1.STATUSCODE,Action1.RESULT

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Ahmed Nosir (@egycondor)