🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Suspicious DNS Activity

detectors


Some malware uses the Domain Name System (DNS) protocol for communication or exfiltration of data. If exfiltration is occuring over DNS, it will often be at a very low data rate. Secureworks Secureworks® Taegis™ XDR analyzes all DNS traffic to determine when DNS queries might be performed by malware. If any of your hosts have recently made DNS queries to a domain that Secureworks® Taegis™ XDR considers suspicious, you will see Suspicious DNS Activity alerts related to those hosts. You might see such alerts even if your hosts made just one DNS query to the suspicious domain. An example of malware that exfiltrated data over the DNS protocol is Framework POS, which attempts to transmit compromised credit card information via DNS exfiltration.

Suspicious DNS Activity Alert

Suspicious DNS Activity Alert

A stream of DNS traffic made by malware has certain characteristics that distinguish it from typical DNS traffic. Secureworks® Taegis™ XDR watches for these patterns of DNS traffic. When it identifies a domain that is likely to be malicious, an alert is generated for each host that has made a DNS request to that domain (up to 25 unique hosts) in the recent past (about 30 days). Each alert contains an estimated count of the number of DNS requests made by that host. The alert refers to at least one specific DNS request made by that host to the suspicious domain.

What Makes DNS Activity Suspicious

There are no absolute rules for determining that a domain is likely suspicious. A domain with any combination of the following characteristics—to varying degress—could cause Secureworks® Taegis™ XDR to consider a domain suspicious:

Schema

DNS

Outputs

Alerts pushed to the Secureworks® Taegis™ XDR Alert Database and Secureworks® Taegis™ XDR Dashboard.

MITRE ATT&CK Category

MITRE Enterprise ATT&CK - Exfiltration - Exfiltration Over Alternative Protocol. For more information, see MITRE Technique T1048.

Configuration options:

None

Detector Requirements

 

On this page: