The Cortex XDR – Analytics DNS Tunneling alert indicates an endpoint sending and receiving DNS queries and responses in a way that suggests connections to a command-and-control server or to exfiltrate data.
Traffic and Enhanced Application logs.
(Optional) Traps endpoint data for process association.
Command and control, exfiltration.
An endpoint sent and received DNS queries and responses in a way that is indicative of command and control activity through DNS tunneling. Attackers use DNS tunneling to encode data in DNS queries and responses to bypass firewalls and HTTPS traffic rules for command-and-control instructions or to exfiltrate data.
Communicate with malware running on your network for the purpose of controlling malware activities or for exfiltrating data from your network.
- Verify that the source device or process is not an approved security solution.
- Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT.
- If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. In Windows DNS requests go through svchost.exe.
- Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded.
- Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain.
- Verify the source web-browser traffic to determine if the process was generated by user action. If the user did not initiate the traffic it can be indicative of malicious activity.
- Verify non-DNS traffic to the domain. Any traffic other than DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.
Use DNS Queries to Identify Infected Hosts on the Network
Use DNS Queries to Identify Infected Hosts on the Network The DNS sinkhole action in Anti-Spyware profiles enables the firewall to forge a response to ...
DNS Tunneling Detection
Learn about the DNS tunneling detection features of the DNS Security Service. ...
New Features May 2019
New Features: May 2019 Feature Description Mobile Endpoint Coverage through GlobalProtect and GlobalProtect Cloud Service The Cortex XDR™ – Analytics app can now detect threats ...
Create Best Practice Security Profiles for the Internet Gat...
Use these File Blocking settings as a best practice at your internet gateway. ...
Rare SMTP/S Session
Rare SMTP/S Session The Rare SMTP/S Session alert indicates that a process performed a rare Simple Mail Transfer Protocol (SMTP/S) session to a remote endpoint ...
How DNS Sinkholing Works DNS sinkholing helps you to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot ...