
Summary
This rule detects DNS queries to a set of commonly abused top-level domains (TLDs) originating from Linux endpoints. It analyzes network events from Linux hosts, requiring that the DNS question name and the associated process name are present. If a DNS query matches any of the listed wildcard TLDs (e.g., *.forum, *.info, *.top, etc.), the rule fires as a low-severity detection (risk_score 21). The intent is to identify potential command-and-control (C2), data exfiltration, or payload retrieval activity that uses DNS as a covert channel. The detection is aligned with MITRE ATT&CK techniques related to DNS-based C2 (T1071.004), proxy usage (T1090.002), web service-based exfiltration (T1567.x), and dynamic resolution/DGA (T1568.x). The query targets network events within a recent window (from now minus 9 minutes) and requires a Linux host context with a non-null DNS question name and a non-null process name to reduce noise. This rule complements other DNS/C2 detections by focusing on suspicious TLDs commonly abused by adversaries for C2 or data exfiltration.
Categories
- Endpoint
- Linux
- Network
Data Sources
- Network Traffic
ATT&CK Techniques
- T1071
- T1071.004
- T1090
- T1090.002
- T1102
- T1102.001
- T1102.002
- T1568
- T1568.002
- T1567
- T1567.001
- T1567.002
- T1567.003
Created: 2026-07-02