An endpoint sent and received
DNS queries and responses in a way that is indicative of command
and control activity through DNS tunneling. Attackers use DNS tunneling
to encode data in DNS queries and responses to bypass firewalls
and HTTPS traffic rules for command-and-control instructions or
to exfiltrate data.
Communicate with malware
running on your network for the purpose of controlling malware activities
or for exfiltrating data from your network.
the source device or process is not an approved security solution.
Verify if the DNS query types are non-standard. DNS tunnels
use uncommon query types that enable encoding more data. Examples
include: INIT, PRIVATE, NULL, SRV, KEY, and TXT.
If the affected endpoint is operating Windows, verify that
the DNS traffic is coming from svchost.exe and search for other
processes that ran when the alert triggered. In Windows DNS requests
go through svchost.exe.
Verify the responses per DNS query. Many responses per query
may indicate a tool being downloaded.
Verify the destination domain details and compare the number
of endpoints in your network that access the domain over time to
see if this is an uncommonly contacted domain.
Verify the source web-browser traffic to determine if the
process was generated by user action. If the user did not initiate
the traffic it can be indicative of malicious activity.
Verify non-DNS traffic to the domain. Any traffic other than
DNS queries to the destination domain may indicate a legitimate
domain and not used solely for command-and-control or data exfiltration.