This rule detects suspicious DNS queries to commonly abused Top Level Domains (TLDs) often associated with Command and Control (C2) activities from low-quality binaries or scripts. The behavior outlined indicates that common legitimate binaries (LOL Binaries) or executables running from world-writable locations engage in questionable network activity against known malicious TLDs. This detection leverages EQL (Event Query Language) to capture relevant events from multiple data sources including endpoint logs and network traffic, specifically focusing on Windows environments. The rule also integrates with threat frameworks such as MITRE ATT&CK, recognizing the app layer protocols used for potential unauthorized C2 communication. The identification of such queries helps in preemptively recognizing malware behavior and taking appropriate response actions, significantly contributing to endpoint protection by highlighting high-risk activities that could denote an ongoing compromise.