Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumexperimental

Low Reputation Effective Top-Level Domain (eTLD)

Detects DNS queries to domains within known low reputation eTLDs. This rule uses AlphaSOC's threat intelligence data and is updated on a monthly basis.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Norbert Jaśniewicz (AlphaSOC)Created Mon Aug 04cf5ee356-65c4-4556-8d11-6977fcdfed4bnetwork
Hunting Hypothesis
Log Source
dns
Categorydns← raw: dns
Detection Logic
Detection Logic1 selector
detection:
    selection:
        query|endswith:
            - '.duckdns.org'
            - '.top'
            - '.ddns.net'
            - '.gl.at.ply.gg'
            - '.portmap.io'
            - '.icu'
            - '.zapto.org'
            - '.live'
            - '.hopto.org'
            - '.portmap.host'
            - '.sbs'
            - '.sytes.net'
            - '.click'
            - '.ydns.eu'
            - '.site'
            - '.cloud'
            - '.no-ip.org'
            - '.kozow.com'
            - '.lat'
            - '.pro'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
feeds.alphasoc.net
MITRE ATT&CK

Sub-techniques

T1071.004 · DNS

Other

detection.threat-hunting
Rule Metadata
Rule ID
cf5ee356-65c4-4556-8d11-6977fcdfed4b
Status
experimental
Level
medium
Type
Threat Hunt
Created
Mon Aug 04
Author
Norbert Jaśniewicz (AlphaSOC)
Path
rules-threat-hunting/network/net_dns_low_reputation_etld.yml
Raw Tags
attack.command-and-controlattack.t1071.004attack.initial-accessdetection.threat-hunting
View on GitHub