Suspect DNS Activity

Triggers:

• Suspect DNS Activity Detections are based upon the DNS protocol and can be over TCP or UDP DNS

Possible Root Causes:

• A host is compromised with malware and initiates a connection to an external resource over the DNS.
• Breach simulation software which may emulate known malware and C2 frameworks over the DNS protocol

Business Impact:

• Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment.  These should be investigated to determine if they are malicious true positives, and acted upon promptly.

Steps to Verify:

• Examine the Detection page to validate whether the DNS detection details is consistent with public resources of threat information.
• Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.
• Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.
• Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.
• Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

‍