mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 09:25:17 +00:00
924e1feb54
* Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.
43 lines
1.5 KiB
YAML
43 lines
1.5 KiB
YAML
title: High DNS subdomain requests rate per domain
|
|
id: 8198e9a8-e38f-4ba5-8f16-882b1c0f880e
|
|
description: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time
|
|
author: Daniil Yugoslavskiy, oscd.community
|
|
date: 2019/10/21
|
|
modified: 2019/11/04
|
|
tags:
|
|
- attack.exfiltration
|
|
- attack.t1048
|
|
logsource:
|
|
category: dns
|
|
detection:
|
|
dns_question_name:
|
|
query: "*"
|
|
default_list_of_well_known_domains:
|
|
query_etld_plus_one:
|
|
- "akadns.net"
|
|
- "akamaiedge.net"
|
|
- "amazonaws.com"
|
|
- "apple.com"
|
|
- "apple-dns.net"
|
|
- "cloudfront.net"
|
|
- "icloud.com"
|
|
- "in-addr.arpa"
|
|
- "google.com"
|
|
- "yahoo.com"
|
|
- "dropbox.com"
|
|
- "windowsupdate.com"
|
|
- "microsoftonline.com"
|
|
- "s-microsoft.com"
|
|
- "office365.com"
|
|
- "linkedin.com"
|
|
timeframe: 15m
|
|
condition: count(subdomain) per query_etld_plus_one per computer_name > 200 and not default_list_of_well_known_domains
|
|
# for each host in timeframe
|
|
# for each dns_question_etld_plus_one
|
|
# if number of dns_question_name > 200
|
|
# dns_question_etld_plus_one is not in default_list_of_well_known_domains
|
|
falsepositives:
|
|
- Legitimate domain name requested, which should be added to whitelist
|
|
level: high
|
|
status: experimental
|