Detects suspicious DNS queries to Monero mining pools
Sponsored by
Detects suspicious DNS queries to Monero mining pools
Detects wannacry killswitch domain dns queries
Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
High DNS requests amount from host per short period of time
High DNS requests amount from host per short period of time
High DNS queries bytes amount from host per short period of time
High DNS queries bytes amount from host per short period of time
Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
Detects suspicious DNS queries using base64 encoding
Detects suspicious DNS queries known from Cobalt Strike beacons
Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
Detects many failed connection attempts to different ports or hosts
Detects many failed connection attempts to different ports or hosts
Detects strings used in command execution in DNS TXT Answer