security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] DNS to Commonly Abused Web Services (#5938)

Browse Source 
* [New Rule] DNS to Commonly Abused Web Services

* Update command_and_control_dns_to_commonly_abused_webservices.toml

* Update rules/linux/command_and_control_dns_to_commonly_abused_webservices.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/linux/command_and_control_dns_to_commonly_abused_webservices.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Converted to BBR

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2026-05-04 12:04:57 +02:00
committed by GitHub
parent bf49a90eb0
commit ef113dc19e
1 changed files with 231 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/command_and_control_dns_to_commonly_abused_webservices.toml
+231
View File
@@ -0,0 +1,231 @@
[metadata]
bypass_bbr_timing = true
creation_date = "2026/05/04"
integration = ["endpoint"]
maturity = "production"
min_stack_version = "9.3.0"
min_stack_comments = "DNS for Linux support was introduced in 9.3.0"
updated_date = "2026/05/04"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Adversaries may implement command and control (C2) communications that use common web services to hide their activity.
This attack technique is typically targeted at an organization and uses web services common to the victim network, which
allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they
have most likely been used before compromise, which helps malicious traffic blend in.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*"]
language = "eql"
license = "Elastic License v2"
name = "DNS to Commonly Abused Web Services"
risk_score = 21
rule_id = "8248323e-f888-4134-a26f-37a6362f7231"
severity = "low"
tags = [
"Domain: Endpoint",
"Domain: Network",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Tactic: Exfiltration",
"Data Source: Elastic Defend",
"Rule Type: BBR",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
network where host.os.type == "linux" and dns.question.name != null and process.name != null and
dns.question.name like~ (
/* Google services */
"drive.google.com", "docs.google.com", "script.google.com", "script.googleusercontent.com",
"*googleapis.com", "calendar.app.google*",
/* Dropbox */
"api.dropboxapi.com", "content.dropboxapi.com", "*dl.dropboxusercontent.com",
/* Microsoft / OneDrive / SharePoint */
"api.onedrive.com", "*.onedrive.org", "onedrive.live.com", "*files.1drv.com", "graph.microsoft.com",
"*.sharepoint.com", "login.live.com", "g.live.com",
/* Slack */
"*slack.com", "slack-redir.net", "slack-files.com",
/* Discord */
"discord.com", "cdn.discordapp.com", "discordapp.com",
/* Telegram */
"api.telegram.org", "t.me",
/* Azure / Cloud storage */
"apis.azureedge.net", "*.blob.core.windows.net", "*.blob.storage.azure.net", "*azurewebsites.net",
/* GitHub / Dev hosting */
"api.github.com", "raw.githubusercontent.*", "gist.githubusercontent.com", "rawcdn.githack.*",
"*.notabug.org",
/* Developer tunnels / reverse proxies */
"*.devtunnels.ms", "*global.rel.tunnels.api.visualstudio.com", "*.ngrok.io", "*.ngrok-free.app",
"*.portmap.*", "serveo.net", "*localtunnel.me", "*pagekite.me", "*.trycloudflare.com",
/* AWS */
"*s3.amazonaws.com",
/* Paste services */
"pastebin.*", "paste4btc.com", "paste.ee", "ghostbin.com", "paste.nrecom.net", "zerobin.net",
"controlc.com", "pastecode.dev", "paste.rs", "hastebin.com", "dpaste.org", "dpaste.com", "0bin.net",
"paste.ofcode.org", "paste.wakas.org", "nopaste.net",
/* File sharing / exfiltration */
"filebin.net", "file.io", "transfer.sh", "*.gofile.io", "workupload.com", "*upload.ee", "*anonfiles.com",
"api.anonfile.com", "*bayfiles.com", "*bublup.com", "*dropfiles.org", "*dropmefiles.com", "*easyupload.io",
"*filetransfer.io", "*sendspace.com", "*share.riseup.net", "*temp.sh", "*tempsend.com", "*ufile.io",
"*send.now", "*send.cm", "*sendit.sh", "*pixeldrain.com", "*megaupload.com", "*mediafire.com",
"*bashupload.com", "*bujang.online", "mediafire.zip", "*.4shared.com", "filecloud.me", "*.pcloud.com",
"*catbox.moe",
/* CDN / hosting / generic file infra */
"*cdnmegafiles.com", "www.uplooder.net", "?.top4top.io", "top4top.io", "*.b-cdn.net", "cdn*.space",
"i.ibb.co", "i.imgur.com",
/* Webhooks / testing / bins */
"webhook.site", "run.mocky.io", "mockbin.org", "requestbin.net",
/* Public hosting / misc infra */
"*.publicvm.com", "*.blogspot.com", "*infinityfreeapp.com", "free.keep.sh", "*.aternos.me",
"*hosting-profi.de",
/* IP / network utilities */
"api.mylnikov.org", "ipbase.com", "*.getmyip.com", "myexternalip.com", "*.geojs.io",
"*api.2ip.ua", "*api.db-ip.com", "*api.ip.sb", "*api.ipify.org", "*api.myip.com",
"*api.npoint.io", "*api64.ipify.org", "*bot.whatismyipaddress.com", "*checkip.amazonaws.com",
"*checkip.dyndns.org", "*curlmyip.com", "*eth0.me", "*freegeoip.app", "*freegeoip.net",
"*freeipapi.com", "*geoiptool.com", "*geolocation-db.com", "*httpbin.org",
"*icanhazip.com", "*ident.me", "*ifcfg.me", "*ifconfig.me", "*inet-ip.info", "*ip-api.com",
"*ip.appspot.com", "*ip.tyk.nu", "*ip4.seeip.org", "*ipecho.net", "*ipinfo.io", "*iplogger.*",
"*ipof.in", "*ipwho.is", "*ipwhois.app", "*ipv4.icanhazip.com", "*ipv6.icanhazip.com",
"*myip.dnsomatic.com", "*myip.ipip.net", "*myip.opendns.com", "*portmap.io", "*wgetip.com",
"*whatismyip.akamai.com", "*wtfismyip.com",
/* Social / platforms */
"mbasic.facebook.com", "*.zulipchat.com", "stackoverflow.com",
/* Package hosting */
"files.pythonhosted.org",
/* Databases / backend platforms */
"*.supabase.co", "*.elastic-cloud.com", "*.cloud.es.io",
/* Misc / suspicious */
"*up.freeo*.space", "*icp0.io", "updates.peer2profit.com", "meacz.gq", "rwrd.org", "lobfile.com",
"ftpupload.net", "the.earth.li",
/* URL shorteners */
"*shorturl.at", "*tinyurl.com", "*bit.ly", "*cutt.ly", "*is.gd", "*rebrand.ly", "*rebrandly.com",
"*adf.ly", "*rb.gy", "tiny.one", "t.ly", "urlz.fr", "rentry.co",
/* Regional / large providers */
"yandex.ru", "*.yandex.ru",
/* Crypto mining pools */
"*.nicehash.com", "stratum*.nicehash.com",
"*.2miners.com", "*.moneroocean.stream", "*.supportxmr.com",
"*.nanopool.org", "*.f2pool.com", "*.poolbinance.com",
"*.antpool.com", "*.viabtc.com", "*.braiins.com", "*.slushpool.com",
/* Decentralized */
"ipfs.io", "*.ipfs.io", "dweb.link", "*.dweb.link",
"*.ipfs.dweb.link", "*.ipns.dweb.link",
"gateway.pinata.cloud", "*.mypinata.cloud",
"web3.storage", "*.web3.storage",
"nftstorage.link", "*.nftstorage.link",
"arweave.net", "*.arweave.net",
"ar.io", "*.ar.io",
"ic0.app", "*.ic0.app",
"icp0.io", "*.icp0.io",
"*.storjshare.io"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[[rule.threat.technique.subtechnique]]
id = "T1071.001"
name = "Web Protocols"
reference = "https://attack.mitre.org/techniques/T1071/001/"
[[rule.threat.technique]]
id = "T1090"
name = "Proxy"
reference = "https://attack.mitre.org/techniques/T1090/"
[[rule.threat.technique.subtechnique]]
id = "T1090.002"
name = "External Proxy"
reference = "https://attack.mitre.org/techniques/T1090/002/"
[[rule.threat.technique]]
id = "T1102"
name = "Web Service"
reference = "https://attack.mitre.org/techniques/T1102/"
[[rule.threat.technique.subtechnique]]
id = "T1102.001"
name = "Dead Drop Resolver"
reference = "https://attack.mitre.org/techniques/T1102/001/"
[[rule.threat.technique.subtechnique]]
id = "T1102.002"
name = "Bidirectional Communication"
reference = "https://attack.mitre.org/techniques/T1102/002/"
[[rule.threat.technique]]
id = "T1568"
name = "Dynamic Resolution"
reference = "https://attack.mitre.org/techniques/T1568/"
[[rule.threat.technique.subtechnique]]
id = "T1568.002"
name = "Domain Generation Algorithms"
reference = "https://attack.mitre.org/techniques/T1568/002/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1567"
name = "Exfiltration Over Web Service"
reference = "https://attack.mitre.org/techniques/T1567/"
[[rule.threat.technique.subtechnique]]
id = "T1567.001"
name = "Exfiltration to Code Repository"
reference = "https://attack.mitre.org/techniques/T1567/001/"
[[rule.threat.technique.subtechnique]]
id = "T1567.002"
name = "Exfiltration to Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1567/002/"
[[rule.threat.technique.subtechnique]]
id = "T1567.003"
name = "Exfiltration to Text Storage Sites"
reference = "https://attack.mitre.org/techniques/T1567/003/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"