Detection of DNS Queries to Suspicious Top-Level Domains
This rule detects DNS queries originating from Linux systems that target commonly abused top-level domains, which adversaries frequently leverage to establish command and control (C2) communications, exfiltrate sensitive data, or stage and deliver malicious payloads, indicating potential compromise or ongoing malicious activity.
This brief details a detection rule from Elastic designed to identify suspicious DNS queries originating from Linux systems. The rule targets a broad list of top-level domains (TLDs) that are frequently abused by threat actors for various malicious purposes. These TLDs, such as .ru, .xyz, .top, .info, and many others, are common choices for hosting command and control (C2) infrastructure, facilitating data exfiltration, or serving as staging grounds for downloading additional malware payloads. The goal of this detection is to provide early warning of potential compromises or ongoing malicious activities by flagging communications with infrastructure known for its illicit use. Defenders can deploy this rule to monitor network traffic for anomalous outbound connections from Linux endpoints, thereby enhancing their ability to detect and respond to covert attacker communications.
Attack Chain
(No specific attack chain is documented in the source. This detection focuses on identifying post-compromise network behaviors rather than initial access or specific exploitation.)
Impact
Failure to detect and block DNS queries to suspicious TLDs can lead to significant consequences for an organization. If a compromised Linux system successfully establishes command and control (C2) with attacker infrastructure, it enables persistent access, further exploitation, data exfiltration, or the deployment of ransomware. The impact can range from data breaches and intellectual property theft to complete network disruption and financial losses. Early detection of such communication attempts is crucial to prevent the progression of an attack and mitigate potential damage, which could otherwise affect any system within the network communicating with these domains.
Recommendation
- Deploy the provided Sigma rule to your SIEM and tune it for your Linux environment, prioritizing critical servers and workstations.
- Ensure DNS logging is enabled for all Linux endpoints, capturing
dns.question.name,host.os.type, andprocess.nameto activate the rule effectively. - Consider implementing network egress filtering to restrict outbound DNS queries to only known, legitimate TLDs or internal DNS resolvers.
- Investigate all alerts generated by the "DNS Request to Suspicious Top Level Domain" rule by examining the source process and the full domain name for context.
Detection coverage 1
DNS Request to Suspicious Top Level Domain
lowDetects DNS queries from Linux systems to commonly abused top-level domains used by malware for C2, exfiltration, or payload delivery.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
50
domain
| Type | Value |
|---|---|
| domain | .forum |
| domain | .pro |
| domain | .team |
| domain | .lol |
| domain | .kr |
| domain | .ke |
| domain | .nu |
| domain | .space |
| domain | .capital |
| domain | .in |
| domain | .cfd |
| domain | .online |
| domain | .ru |
| domain | .info |
| domain | .top |
| domain | .buzz |
| domain | .xyz |
| domain | .rest |
| domain | .ml |
| domain | .cf |
| domain | .gq |
| domain | .ga |
| domain | .onion |
| domain | .network |
| domain | .monster |
| domain | .marketing |
| domain | .cyou |
| domain | .quest |
| domain | .cc |
| domain | .bar |
| domain | .click |
| domain | .cam |
| domain | .surf |
| domain | .tk |
| domain | .shop |
| domain | .club |
| domain | .icu |
| domain | .pw |
| domain | .ws |
| domain | .fun |
| domain | .life |
| domain | .boats |
| domain | .store |
| domain | .hair |
| domain | .mom |
| domain | .beauty |
| domain | .bond |
| domain | .biz |
| domain | .live |
| domain | .zone |