Hacked domains may indicate an adversary using compromised web assets to exfiltrate data or pivot within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data theft vectors early.
YARA Rule
rule hacked_domains {
strings:
$ = "infopromo.biz"
$ = "jquery-code.su"
$ = "jquery-css.su"
$ = "megalith-games.com"
$ = "cdn-cloud.pw"
$ = "animalzz921.pw"
$ = "statsdot.eu"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate domain registration renewal via API
Description: A system administrator uses a tool like Domain.com API or GoDaddy API to renew a domain name programmatically.
Filter/Exclusion: Exclude traffic from known domain management tools or IP ranges associated with domain registrars.
Scenario: Scheduled backup job exporting to a cloud storage bucket
Description: A backup tool like Veeam or Commvault exports data to a cloud storage bucket (e.g., AWS S3 or Azure Blob Storage) using a scheduled job.
Filter/Exclusion: Exclude traffic to known cloud storage endpoints or filter by known backup tool signatures.
Scenario: Internal DNS zone transfer for DNSSEC validation
Description: An internal DNS server performs a zone transfer with another internal DNS server as part of DNSSEC validation.
Filter/Exclusion: Exclude traffic between internal DNS servers or filter by internal IP ranges and DNS protocols.
Scenario: Admin task to update DNS records via CLI
Description: A system administrator uses a CLI tool like nsupdate or dig to manually update DNS records.
Filter/Exclusion: Exclude traffic from known admin CLI tools or filter by user accounts with elevated privileges.
Scenario: CI/CD pipeline deploying to a staging environment
Description: A CI/CD tool like Jenkins or GitHub Actions deploys code to a staging environment, which may involve DNS updates or domain usage.
Filter/Exclusion: Exclude traffic from known CI/CD platforms or filter by specific deployment environments (e.g., staging, dev).