Techniques
Sample rules
DNS Query to External Service Interaction Domains
- source: sigma
- technicques:
- t1190
- t1595
- t1595.002
Description
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_polling:
query|contains: polling.oastify.com
selection:
query|contains:
- .burpcollaborator.net
- .canarytokens.com
- .ceye.io
- .ddns.1443.eu.org
- .ddns.bypass.eu.org
- .ddns.xn--gg8h.eu.org
- .dns.su18.org
- .dnshook.site
- .dnslog.cn
- .dnslog.ink
- .interact.sh
- .log.dnslog.pp.ua
- .log.dnslog.qzz.io
- .log.dnslogs.dpdns.org
- .log.javaweb.org
- .log.nat.cloudns.ph
- .oast.fun
- .oast.live
- .oast.me
- .oast.online
- .oast.pro
- .oast.site
- .oastify.com
- .p8.lol
- .requestbin.net