DNS Query To Common Malware Hosting and Shortener Services

Original Source: [Sigma source]

Title: DNS Query To Common Malware Hosting and Shortener Services
Status: experimental
Description:Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
References:
-https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
Author: Ahmed Nosir (@egycondor)
Date: 2025-06-02
modified:None
Tags:

-'attack.command-and-control'
-'attack.t1071.004'

Logsource:

product: windows
category: dns_query

Detection:
selection:
QueryName|contains:
-'msapp.workers.dev'
-'trycloudflare.com'
-'infinityfreeapp.com'
-'my5353.com'
-'reurl.cc'
-'lihi.cc'
-'tinyurl.com'

condition:selection
Falsepositives:
-Legitimate use of these services is possible but rare in enterprise environments
Level: medium

Sign Up to Personalize and Manage Your Detection

DNS Query To Common Malware Hosting and Shortener Services