Command and Control (TA0011)(external, opens in a new tab or window)
Exfiltration (TA0010)(external, opens in a new tab or window)
text code block:network where host.os.type == "linux" and dns.question.name != null and process.name != null and dns.question.name like~ ( /* Google services */ "drive.google.com", "docs.google.com", "script.google.com", "script.googleusercontent.com", "*googleapis.com", "calendar.app.google*", /* Dropbox */ "api.dropboxapi.com", "content.dropboxapi.com", "*dl.dropboxusercontent.com", /* Microsoft / OneDrive / SharePoint */ "api.onedrive.com", "*.onedrive.org", "onedrive.live.com", "*files.1drv.com", "graph.microsoft.com", "*.sharepoint.com", "login.live.com", "g.live.com", /* Slack */ "*slack.com", "slack-redir.net", "slack-files.com", /* Discord */ "discord.com", "cdn.discordapp.com", "discordapp.com", /* Telegram */ "api.telegram.org", "t.me", /* Azure / Cloud storage */ "apis.azureedge.net", "*.blob.core.windows.net", "*.blob.storage.azure.net", "*azurewebsites.net", /* GitHub / Dev hosting */ "api.github.com", "raw.githubusercontent.*", "gist.githubusercontent.com", "rawcdn.githack.*", "*.notabug.org", /* Developer tunnels / reverse proxies */ "*.devtunnels.ms", "*global.rel.tunnels.api.visualstudio.com", "*.ngrok.io", "*.ngrok-free.app", "*.portmap.*", "serveo.net", "*localtunnel.me", "*pagekite.me", "*.trycloudflare.com", /* AWS */ "*s3.amazonaws.com", /* Paste services */ "pastebin.*", "paste4btc.com", "paste.ee", "ghostbin.com", "paste.nrecom.net", "zerobin.net", "controlc.com", "pastecode.dev", "paste.rs", "hastebin.com", "dpaste.org", "dpaste.com", "0bin.net", "paste.ofcode.org", "paste.wakas.org", "nopaste.net", /* File sharing / exfiltration */ "filebin.net", "file.io", "transfer.sh", "*.gofile.io", "workupload.com", "*upload.ee", "*anonfiles.com", "api.anonfile.com", "*bayfiles.com", "*bublup.com", "*dropfiles.org", "*dropmefiles.com", "*easyupload.io", "*filetransfer.io", "*sendspace.com", "*share.riseup.net", "*temp.sh", "*tempsend.com", "*ufile.io", "*send.now", "*send.cm", "*sendit.sh", "*pixeldrain.com", "*megaupload.com", "*mediafire.com", "*bashupload.com", "*bujang.online", "mediafire.zip", "*.4shared.com", "filecloud.me", "*.pcloud.com", "*catbox.moe", /* CDN / hosting / generic file infra */ "*cdnmegafiles.com", "www.uplooder.net", "?.top4top.io", "top4top.io", "*.b-cdn.net", "cdn*.space", "i.ibb.co", "i.imgur.com", /* Webhooks / testing / bins */ "webhook.site", "run.mocky.io", "mockbin.org", "requestbin.net", /* Public hosting / misc infra */ "*.publicvm.com", "*.blogspot.com", "*infinityfreeapp.com", "free.keep.sh", "*.aternos.me", "*hosting-profi.de", /* IP / network utilities */ "api.mylnikov.org", "ipbase.com", "*.getmyip.com", "myexternalip.com", "*.geojs.io", "*api.2ip.ua", "*api.db-ip.com", "*api.ip.sb", "*api.ipify.org", "*api.myip.com", "*api.npoint.io", "*api64.ipify.org", "*bot.whatismyipaddress.com", "*checkip.amazonaws.com", "*checkip.dyndns.org", "*curlmyip.com", "*eth0.me", "*freegeoip.app", "*freegeoip.net", "*freeipapi.com", "*geoiptool.com", "*geolocation-db.com", "*httpbin.org", "*icanhazip.com", "*ident.me", "*ifcfg.me", "*ifconfig.me", "*inet-ip.info", "*ip-api.com", "*ip.appspot.com", "*ip.tyk.nu", "*ip4.seeip.org", "*ipecho.net", "*ipinfo.io", "*iplogger.*", "*ipof.in", "*ipwho.is", "*ipwhois.app", "*ipv4.icanhazip.com", "*ipv6.icanhazip.com", "*myip.dnsomatic.com", "*myip.ipip.net", "*myip.opendns.com", "*portmap.io", "*wgetip.com", "*whatismyip.akamai.com", "*wtfismyip.com", /* Social / platforms */ "mbasic.facebook.com", "*.zulipchat.com", "stackoverflow.com", /* Package hosting */ "files.pythonhosted.org", /* Databases / backend platforms */ "*.supabase.co", "*.elastic-cloud.com", "*.cloud.es.io", /* Misc / suspicious */ "*up.freeo*.space", "*icp0.io", "updates.peer2profit.com", "meacz.gq", "rwrd.org", "lobfile.com", "ftpupload.net", "the.earth.li", /* URL shorteners */ "*shorturl.at", "*tinyurl.com", "*bit.ly", "*cutt.ly", "*is.gd", "*rebrand.ly", "*rebrandly.com", "*adf.ly", "*rb.gy", "tiny.one", "t.ly", "urlz.fr", "rentry.co", /* Crypto mining pools */ "*.nicehash.com", "stratum*.nicehash.com", "*.2miners.com", "*.moneroocean.stream", "*.supportxmr.com", "*.nanopool.org", "*.f2pool.com", "*.poolbinance.com", "*.antpool.com", "*.viabtc.com", "*.braiins.com", "*.slushpool.com", /* Decentralized */ "ipfs.io", "*.ipfs.io", "dweb.link", "*.dweb.link", "*.ipfs.dweb.link", "*.ipns.dweb.link", "gateway.pinata.cloud", "*.mypinata.cloud", "web3.storage", "*.web3.storage", "nftstorage.link", "*.nftstorage.link", "arweave.net", "*.arweave.net", "ar.io", "*.ar.io", "ic0.app", "*.ic0.app", "icp0.io", "*.icp0.io", "*.storjshare.io" ) and not process.executable like ( "/opt/google-cloud-ops-agent/subagents/fluent-bit/bin/fluent-bit", "/usr/lib/systemd/systemd-resolved", "/opt/Elastic/Agent/data/elastic-agent-*/components/elastic-otel-collector", "/usr/bin/dockerd", "/usr/bin/google_osconfig_agent", "/snap/firefox/*/usr/lib/firefox/firefox", "/usr/bin/warp-svc", "/var/lib/docker/overlay2/*/merged/usr/local/bin/node", "/snap/chromium/*/usr/lib/chromium-browser/chrome", "/opt/google-cloud-ops-agent/subagents/opentelemetry-collector/otelopscol", "/usr/local/bin/rclone", "/var/lib/elastic-agent/data/elastic-agent-*/components/elastic-otel-collector", "/opt/google/chrome/chrome", "/usr/bin/pihole-FTL" )
Install detection rules in Elastic Security
Detect DNS to Commonly Abused Web Services in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).