shockley.net

Detecting OOB interactions in Sentinel

Florian Roth on Twitter posted a sigma_hq rule for detecting the use of public tools like interactsh, inspired by Matt Kelly. I adapted it for Sentinel and figured I'd share.

let Domains = dynamic([
    ".interact.sh", 
    ".oast.pro",
    ".oast.live",
    ".oast.site",
    ".oast.online",
    ".oast.fun",
    ".oast.me",
    ".burpcollaborator.net",
    ".oastify.com",
    ".canarytokens.com",
    ".requestbin.net",
    ".dnslog.cn"]);
DnsEvents 
| where Name has_any (Domains)

Hope it's useful!