From b628323cd77be3fa02bcb2e17a9b9defe2552ede Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Thu, 18 Dec 2025 10:40:52 -0500 Subject: [PATCH 1/3] Update network_dns_suspicious.py Necessary in order to actually hit on the actual domains, the point need to be escaped or it can be any character. Also the domain need to be finishing there so it is not as a subdomain or else it is not a shortener. This should be a domain not an URI so no issue for this. --- .../windows/network_dns_suspicious.py | 411 +++++++++--------- 1 file changed, 206 insertions(+), 205 deletions(-) diff --git a/modules/signatures/windows/network_dns_suspicious.py b/modules/signatures/windows/network_dns_suspicious.py index 7905507d..f5ab0561 100644 --- a/modules/signatures/windows/network_dns_suspicious.py +++ b/modules/signatures/windows/network_dns_suspicious.py @@ -516,212 +516,212 @@ class NetworkDNSURLShortener(Signature): def run(self): domain_indicators = [ - "1url.com", - "2ly.link", - "2no.co", - "2uuu.me", - "3c5.com", - "4x.si", - "42url.com", - "7x.qa", - "9lick.me", - "abre.ai", - "adcraft.co", - "adcrun.ch", - "adf.ly", - "adflav.com", - "aiy.ooo", - "aka.gr", - "amzn.to", - "artist.link", - "b2n.ir", - "bc.vc", - "bee4.biz", - "belea.link", - "bit.do", - "bit.ly", - "bitly.com", - "bitly.com.vn", - "bitly.lc", - "bitly.ws", - "bom.so", - "buff.ly", - "buzurl.com", - "bx.ms", - "cektkp.com", - "ci.ci", - "clck.ru", - "cml.lol", - "coki.me", - "cur.lv", - "cut.by", - "cutt.ly", - "cutt.us", - "cuty.io", - "d.to", - "db.tt", - "dft.ba", - "dik.si", - "dub.co", - "dub.sh", - "dwz.mk", - "e.vg", - "encr.pw", - "encurtador.dev", - "etd.bz", - "filoops.info", - "fun.ly", - "fzy.co", - "gg-l.xyz", - "gog.li", - "golinks.co", - "goo.by", - "goo.gd", - "goo.gl", - "goo.su", - "han.gl", - "hit.my", - "hyp.ae", - "hyperurl.co", - "ic9.in", - "id.tl", - "idm.in", - "iii.im", - "iiil.io", - "ilang.in", - "insprl.com", - "iplogger.com", - "iplogger.org", - "is.gd", - "ito.mx", - "iurl.vip", - "ity.im", - "j.mp", - "jii.li", - "komin.fo", - "kortlink.dk", - "kutti.co", - "lc.cx", - "link.zip.net", - "linksshortcut.com", - "linkto.im", - "litby.us", - "ln.run", - "lnk.co", - "lnk.direct", - "lnk.ink", - "lnk.pw", - "lnkd.in", - "lnkfi.re", - "long.af", - "longurl.in", - "maxiurl.com", - "mcaf.ee", - "me2.do", - "merky.de", - "mjt.lu", - "mtr.bio", - "my5353.com", - "mylinks.ai", - "n9.cl", - "nanourly.in", - "neya.io", - "nov.io", - "odesli.co", - "onx.la", - "ouvaton.link", - "ow.ly", - "p6l.org", - "picz.us", - "po.st", - "postly.link", - "prettylinkpro.com", - "q.gs", - "qr.ae", - "qr.net", - "qrco.de", - "rb.gy", - "rebrand.ly", - "rebrandly.com", - "rebrandly.info", - "relink.is", - "ricardo.news", - "s.devh.in", - "s.ee", - "s.id", - "s.rlp.de", - "s3r.io", - "s59.site", - "scrnch.me", - "shly.link", - "shorten.ee", - "shorten.is", - "shorten.tv", - "shortquik.com", - "shorturl.ae", - "shorturl.at", - "shrtcnl.com", - "sht.ac", - "sk.gy", - "sl8.in", - "smarturl.it", - "smurl.fr", - "sn.rs", - "snip.ly", - "song.link", - "spoo.me", - "sprl.in", - "srink.co", - "su.pr", - "surl.li", - "t.co", - "t.ly", - "temporary-url.com", - "tg.pe", - "tiny.cc", - "tinyarrows.com", - "tinyurl.com", - "tinyurl.mobi", - "tota2.com", - "tr.im", - "trimz.me", - "tt.vg", - "tweez.me", - "twitthis.com", - "twixar.com", - "twixar.me", - "tyny.to", - "u.bb", - "u.to", - "urled.cc", - "urled.pro", - "urless.com", - "urlr.me", - "urlshort.dev", - "urltin.com", - "urlz.fr", + "1url\.com$", + "2ly\.link$", + "2no\.co$", + "2uuu\.me$", + "3c5\.com$", + "4x\.si$", + "42url\.com$", + "7x\.qa$", + "9lick\.me$", + "abre\.ai$", + "adcraft\.co$", + "adcrun\.ch$", + "adf\.ly$", + "adflav\.com$", + "aiy\.ooo$", + "aka\.gr$", + "amzn\.to", + "artist\.link$", + "b2n\.ir$", + "bc\.vc$", + "bee4\.biz$", + "belea\.link$", + "bit\.do$", + "bit\.ly$", + "bitly\.com$", + "bitly\.com\.vn$", + "bitly\.lc$", + "bitly\.ws$", + "bom\.so$", + "buff\.ly$", + "buzurl\.com$", + "bx\.ms$", + "cektkp\.com$", + "ci\.ci$", + "clck\.ru$", + "cml\.lol$", + "coki\.me$", + "cur\.lv$", + "cut\.by$", + "cutt\.ly$", + "cutt\.us$", + "cuty\.io$", + "d\.to$", + "db\.tt$", + "dft\.ba$", + "dik\.si$", + "dub\.co$", + "dub\.sh$", + "dwz\.mk$", + "e\.vg$", + "encr\.pw$", + "encurtador\.dev$", + "etd\.bz$", + "filoops\.info$", + "fun\.ly$", + "fzy\.co$", + "gg-l\.xyz$", + "gog\.li$", + "golinks\.co$", + "goo\.by$", + "goo\.gd$", + "goo\.gl$", + "goo\.su$", + "han\.gl$", + "hit\.my$", + "hyp\.ae$", + "hyperurl\.co$", + "ic9\.in$", + "id\.tl$", + "idm\.in$", + "iii\.im$", + "iiil\.io$", + "ilang\.in$", + "insprl\.com$", + "iplogger\.com$", + "iplogger\.org$", + "is\.gd$", + "ito\.mx$", + "iurl\.vip$", + "ity\.im$", + "j\.mp$", + "jii\.li$", + "komin\.fo$", + "kortlink\.dk$", + "kutti\.co$", + "lc\.cx$", + "link\.zip\.net$", + "linksshortcut\.com$", + "linkto\.im$", + "litby\.us$", + "ln\.run$", + "lnk\.co$", + "lnk\.direct$", + "lnk\.ink$", + "lnk\.pw$", + "lnkd\.in$", + "lnkfi\.re$", + "long\.af$", + "longurl\.in$", + "maxiurl\.com$", + "mcaf\.ee$", + "me2\.do$", + "merky\.de$", + "mjt\.lu$", + "mtr\.bio$", + "my5353\.com$", + "mylinks\.ai$", + "n9\.cl$", + "nanourly\.in$", + "neya\.io$", + "nov\.io$", + "odesli\.co$", + "onx\.la$", + "ouvaton\.link$", + "ow\.ly$", + "p6l\.org$", + "picz\.us$", + "po\.st$", + "postly\.link$", + "prettylinkpro\.com$", + "q\.gs$", + "qr\.ae$", + "qr\.net$", + "qrco\.de$", + "rb\.gy$", + "rebrand\.ly$", + "rebrandly\.com$", + "rebrandly\.info$", + "relink\.is$", + "ricardo\.news$", + "s\.devh\.in$", + "s\.ee$", + "s\.id$", + "s\.rlp\.de$", + "s3r\.io$", + "s59\.site$", + "scrnch\.me$", + "shly\.link$", + "shorten\.ee$", + "shorten\.is$", + "shorten\.tv$", + "shortquik\.com$", + "shorturl\.ae$", + "shorturl\.at$", + "shrtcnl\.com$", + "sht\.ac$", + "sk\.gy$", + "sl8\.in$", + "smarturl\.it$", + "smurl\.fr$", + "sn\.rs$", + "snip\.ly$", + "song\.link$", + "spoo\.me$", + "sprl\.in$", + "srink\.co$", + "su\.pr$", + "surl\.li$", + "t\.co$", + "t\.ly$", + "temporary-url\.com$", + "tg\.pe$", + "tiny\.cc$", + "tinyarrows\.com$", + "tinyurl\.com$", + "tinyurl\.mobi$", + "tota2\.com$", + "tr\.im$", + "trimz\.me$", + "tt\.vg$", + "tweez\.me$", + "twitthis\.com$", + "twixar\.com$", + "twixar\.me$", + "tyny\.to$", + "u\.bb$", + "u\.to$", + "urled\.cc$", + "urled\.pro$", + "urless\.com$", + "urlr\.me$", + "urlshort\.dev$", + "urltin\.com$", + "urlz\.fr$", "ux9.de", - "v.gd", - "v.ht", - "vtaurl.com", - "vzturl.com", - "webz.cc", - "wp.me", - "x.co", - "xlinkz.info", - "xtu.me", - "xy2.eu", - "ykm.de", - "yirra.net", - "yourls.org", - "youtu.be", - "yu2.it", - "yu3.io", - "zpag.es", - "zpr.io", - "zurl.to", - "zws.im", - "zzb.bz", + "v\.gd$", + "v\.ht$", + "vtaurl\.com$", + "vzturl\.com$", + "webz\.cc$", + "wp\.me$", + "x\.co$", + "xlinkz\.info$", + "xtu\.me$", + "xy2\.eu$", + "ykm\.de$", + "yirra\.net$", + "yourls\.org$", + "youtu\.be$", + "yu2\.it$", + "yu3\.io$", + "zpag\.es$", + "zpr\.io$", + "zurl\.to$", + "zws\.im$", + "zzb\.bz$", ] for indicator in domain_indicators: @@ -775,3 +775,4 @@ def run(self): self.data.append({"domain": tld_match}) return len(self.data) > 0 + From 53d91b4d7428263a86835694374b9484cafe04c8 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Thu, 18 Dec 2025 10:42:17 -0500 Subject: [PATCH 2/3] Update network_dns_suspicious.py --- modules/signatures/windows/network_dns_suspicious.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/signatures/windows/network_dns_suspicious.py b/modules/signatures/windows/network_dns_suspicious.py index f5ab0561..02722c1d 100644 --- a/modules/signatures/windows/network_dns_suspicious.py +++ b/modules/signatures/windows/network_dns_suspicious.py @@ -700,7 +700,7 @@ def run(self): "urlshort\.dev$", "urltin\.com$", "urlz\.fr$", - "ux9.de", + "ux9\.de$", "v\.gd$", "v\.ht$", "vtaurl\.com$", @@ -776,3 +776,4 @@ def run(self): return len(self.data) > 0 + From 2067c2d5a4b81ca38d9bc3a02ba1253204dc7bdf Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Thu, 18 Dec 2025 10:50:14 -0500 Subject: [PATCH 3/3] Update modules/signatures/windows/network_dns_suspicious.py Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- modules/signatures/windows/network_dns_suspicious.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/signatures/windows/network_dns_suspicious.py b/modules/signatures/windows/network_dns_suspicious.py index 02722c1d..5a18e8f8 100644 --- a/modules/signatures/windows/network_dns_suspicious.py +++ b/modules/signatures/windows/network_dns_suspicious.py @@ -532,7 +532,7 @@ def run(self): "adflav\.com$", "aiy\.ooo$", "aka\.gr$", - "amzn\.to", + "amzn\.to$", "artist\.link$", "b2n\.ir$", "bc\.vc$",