Dns Requests To Suspicious Tlds
Query
let SuspiciousTLD = externaldata(TLD: string)[@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/netcraft-tlds.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents
| where ActionType == "DnsConnectionInspected"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend DnsQuery = tostring(AdditionalFields.query), ResponseCode = tostring(AdditionalFields.rcode_name), Direction = tostring(AdditionalFields.direction)
| extend TLDArray = split(DnsQuery,'.')
| extend TLD = strcat(".",TLDArray[array_length(TLDArray)-1])
| where Direction == "Out"
| project DeviceName, DnsQuery, ResponseCode, TLDArray, TLD
| join SuspiciousTLD on $left.TLD == $right.TLDAbout this query
DNS requests to suspicious TLDs
Description
Zeek network layer signals for MDE includes the DnsConnectionInspected table which provides fruitful information about DNS connections. By taking into account netcraft's top 20 TLDs that are being used for cybercrime, you can hunt for suspicious DNS requests.
References
- https://trends.netcraft.com/cybercrime/tlds
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enrich-your-advanced-hunting-experience-using-network-layer/ba-p/3794693
Microsoft 365 Defender & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Command and Control
- Technique ID: T1071.004
- Application Layer Protocol: DNS
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 02/09/2023 | Initial publish |
Explanation
The query is looking for suspicious DNS requests by analyzing the DnsConnectionInspected table in Zeek network layer signals. It uses a list of top 20 TLDs known for cybercrime from netcraft.com to identify these suspicious requests. The query filters for DNS connections that are outgoing and then joins the results with the list of suspicious TLDs.
Details

Michalis Michalos
Released: September 2, 2023
Tables
DeviceNetworkEvents
Keywords
DNSTLDDnsConnectionInspectednetcraftMDEMicrosoft 365 DefenderMicrosoft SentinelDeviceNetworkEventsActionTypeAdditionalFieldsDnsQueryResponseCodeDirectionTLDArrayDeviceNameSuspiciousTLD
Operators
externaldatawithformatignoreFirstRecordletDeviceNetworkEventswhereextendtostringsplitstrcatprojectjoin