Techniques
Sample rules
DNS Query To Common Malware Hosting and Shortener Services
- source: sigma
- technicques:
- t1071
- t1071.004
Description
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
Detection logic
condition: selection
selection:
QueryName|contains:
- msapp.workers.dev
- trycloudflare.com
- infinityfreeapp.com
- my5353.com
- reurl.cc
- lihi.cc
- tinyurl.com