Hunting Zloader DNS Tunneling
Query
// Hunting Zloader DNS Tunneling
// https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where ActionType == "DnsConnectionInspected"
| where AdditionalFields.query contains "bigdealcenter.world" or AdditionalFields.query contains "unitedcommunity.world" or AdditionalFields.query contains "ns1.brownswer.com"Explanation
This query is designed to detect potential DNS tunneling activity associated with the Zloader malware. It searches through network event logs from the past 90 days, specifically looking for DNS connection events. The query filters these events to identify DNS queries that contain any of the following suspicious domain names: "bigdealcenter.world," "unitedcommunity.world," or "ns1.brownswer.com." These domains are known to be associated with Zloader's DNS tunneling techniques.
Details

Steven Lim
Released: December 11, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsTimeGeneratedActionTypeAdditionalFieldsQuery
Operators
agocontainsorwhere>==