/
DNS detections
Document toolboxDocument toolbox

DNS detections

Owned by Former user (Deleted)
Last updated: Sept 07, 2023
2 min read

 

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.

Source table → domains.all

Detect a domain with a TLD, not in Mozilla TLD List.

Source table → domains.all

Unusual User Agent length detected. It can be associated with some type of attack or vulnerability.

Source table → domains.all

The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. the attack was pushed out via a infected IT Management update from Kaseya.

Source table → domains.all

Too long subdomains could be part of Application Layer Protocols.

Source table → network.dns

Monitor TXT and ANY responses to detect infiltrations or possible reflection attacks.

Source table → network.dns

Possible DNS exfiltration detected.

Source table → network.dns

Detects if a tripe A DNS response contains or not an IP announced. In case the response contains a non-announced IPv6, we can think there is a kind of cover-channel communication attempt.

Source table → network.dns

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE.

Source table → network.dns

Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability on the log raw message. This would include payloads included in the url, user-agent header, referer header or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning.

Source table → domains.all

Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability in the log raw message. This would include payloads included in the URL, user-agent header, referrer header, or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning.

Source table → domains.all

Related content