EXPLORE DETECTIONS
DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
DMSA Link Attributes Modified
Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts. This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
DMSA Service Account Created in Specific OUs - PowerShell
Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
DNS Events Related To Mining Pools
Identifies clients that may be performing DNS lookups associated with common currency mining pools.
DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
DNS HybridConnectionManager Service Bus
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
DNS Query Request By QuickAssist.EXE
Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
DNS Query Request By Regsvr32.EXE
Detects DNS queries initiated by "Regsvr32.exe"
DNS Query Request To OneLaunch Update Service
Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.
DNS Query To AzureWebsites.NET By Non-Browser Process
Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
DNS Query To Devtunnels Domain
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
DNS Query To MEGA Hosting Website
Detects DNS queries for subdomains related to MEGA sharing website
DNS Query To MEGA Hosting Website - DNS Client
Detects DNS queries for subdomains related to MEGA sharing website
DNS Query To Put.io - DNS Client
Detects DNS queries for subdomains related to "Put.io" sharing website.
DNS Query To Remote Access Software Domain From Non-Browser App
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
DNS Query To Ufile.io
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
DNS Query To Ufile.io - DNS Client
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
DNS Query To Visual Studio Code Tunnels Domain
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks