```yaml title: Suspicious DNS Request from High-Risk Process id: edr-win-c2-susp-dns-tld status: stable description: > Detects DNS requests from high-risk processes (cmd.exe, powershell.exe, mshta.exe, rundll32.exe, etc.) to suspicious top-level domains commonly abused for C2 (.top, .icu, .xyz, .shop, .live, .pw, .info) or known-bad tunneling/paste services (trycloudflare, bashupload, paste, station307). Catches the delivery and callback phases of ClickFix, SocGholish, and similar loader campaigns. references: - https://attack.mitre.org/techniques/T1071/001/ author: ShroudCloud date: 2026/04/16 tags: - attack.command_and_control - attack.t1071 logsource: category: dns product: windows detection: selection_process: Image|endswith: - '\cmd.exe' - '\wscript.exe' - '\cscript.exe' - '\rundll32.exe' - '\regsvr32.exe' - '\mshta.exe' - '\powershell.exe' - '\pwsh.exe' - '\powershell_ise.exe' - '\msiexec.exe' selection_dns_tld: QueryName|endswith: - '.ar' - '.b2' - '.boats' - '.buzz' - '.cc' - '.cf' - '.cfd' - '.click' - '.club' - '.digital' - '.ga' - '.gq' - '.hair' - '.icu' - '.info' - '.life' - '.live' - '.lol' - '.makeup' - '.ml' - '.monster' - '.motorcycles' - '.online' - '.pics' - '.pw' - '.ru' - '.run' - '.sbs' - '.shop' - '.site' - '.skin' - '.tn' - '.tk' - '.today' - '.tmp' - '.top' - '.vip' - '.win' - '.xyz' selection_dns_domain: QueryName|contains: - 'bashupload' - 'paste' - 'station307' - 'steam' - 'trycloudflare' condition: selection_process and (selection_dns_tld or selection_dns_domain) falsepositives: - Legitimate scripts or tools resolving benign domains on abused TLDs - Third-party integrations using suspicious TLDs level: high ```