Detection rules › Sigma
DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1071.004 Application Layer Protocol: DNS |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: selection
or:
QueryName|contains: infinityfreeapp.com
QueryName|contains: lihi.cc
QueryName|contains: msapp.workers.dev
QueryName|contains: my5353.com
QueryName|contains: reurl.cc
QueryName|contains: tinyurl.com
QueryName|contains: trycloudflare.com
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
QueryName | match |
|