Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

DNS Query To Common Malware Hosting and Shortener Services

Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ahmed NosirCreated Mon Jun 02f8c1e80b-c73a-476a-ae24-6c72528b1521windows
Log Source
WindowsDNS Query
ProductWindows← raw: windows
CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        QueryName|contains:
            - 'msapp.workers.dev'
            - 'trycloudflare.com'
            - 'infinityfreeapp.com'
            - 'my5353.com'
            - 'reurl.cc'
            - 'lihi.cc'
            - 'tinyurl.com'
    condition: selection
False Positives

Legitimate use of these services is possible but rare in enterprise environments

References
1
Resolving title…
cloud.google.com
MITRE ATT&CK

Sub-techniques

T1071.004 · DNS
Rule Metadata
Rule ID
f8c1e80b-c73a-476a-ae24-6c72528b1521
Status
experimental
Level
medium
Type
Detection
Created
Mon Jun 02
Author
Ahmed Nosir
Path
rules/windows/dns_query/dns_query_win_common_malware_hosting_services.yml
Raw Tags
attack.command-and-controlattack.t1071.004
View on GitHub