Rules: HTTP Request to Domain in Non-Standard TLD
HTTP request to a domain that is not under an ICANN-standard TLD. These TLDs are provided by alternate DNS root servers such as OpenNIC. Their use on corporate networks is fundamentally suspicious and potentially a sign of abuse by threat actors.
| Detail | Value |
|---|---|
| Type | Match |
| Category | Command and Control |
| Apply Risk to Entities | srcDevice_ip |
| Signal Name | HTTP Request to Domain in Non-Standard TLD |
| Summary Expression | HTTP request from IP: {{srcDevice_ip}} to URL: {{http_url}} |
| Score/Severity | Static: 6 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1071, _mitreAttackTechnique:T1071.001 |
- Amazon AWS - Application Load Balancer
- Amazon AWS - CloudFront
- Amazon AWS - Elastic Load Balancer
- Bro - Bro
- CheckPoint - URL Filtering
- Cisco Systems - Firepower
- Cisco Systems - Meraki
- Fortinet - Fortigate
- Microsoft - IIS
- Palo Alto Networks - Next Generation Firewall
- Squid - Squid Proxy
- Zscaler - Nanolog Streaming Service
| Origin | Field |
|---|---|
| Normalized Schema | http_url_tld |
| Normalized Schema | listMatches |
| Normalized Schema | srcDevice_ip |