Detectionhightest

DNS Query to External Service Interaction Domains

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems), Matt Kelly (list of domains)Created Tue Jun 07Updated Sat Jan 24aff715fa-4dd5-497a-8db3-910bea555566network

Log Source

dns

Categorydns← raw: dns

Detection Logic

detection:
    selection:
        query|endswith:
            - '.burpcollaborator.net' # Portswigger Burpsuite Collaborator
            - '.canarytokens.com' # Thinkst Canary Canarytokens
            - '.ceye.io'
            - '.ddns.1443.eu.org' # dig.pm
            - '.ddns.bypass.eu.org' # dig.pm
            - '.ddns.xn--gg8h.eu.org' # dig.pm
            - '.digimg.store' # dnslog.ink
            - '.dns.su18.org' # javaweb.org
            - '.dnshook.site' # webhook.site
            - '.dnslog.cn'
            - '.dnslog.ink' # dnslog.ink
            - '.instances.httpworkbench.com' # httpworkbench.com
            - '.interact.sh' # Project Discovery Interactsh
            - '.log.dnslog.pp.ua' # dnslog.org
            - '.log.dnslog.qzz.io' # dnslog.org
            - '.log.dnslogs.dpdns.org' # dnslog.org
            - '.log.javaweb.org' # javaweb.org
            - '.log.nat.cloudns.ph' # dnslog.org
            - '.oast.fun' # Project Discovery Interactsh
            - '.oast.live' # Project Discovery Interactsh
            - '.oast.me' # Project Discovery Interactsh
            - '.oast.online' # Project Discovery Interactsh
            - '.oast.pro' # Project Discovery Interactsh
            - '.oast.site' # Project Discovery Interactsh
            - '.oastify.com' # Portswigger Burpsuite Collaborator
            - '.p8.lol' # javaweb.org
            - '.requestbin.net'
    filter_main_polling:
        query|contains: 'polling.oastify.com'
    condition: selection and not 1 of filter_main_*