Suspicious DNS Activity
Some malware uses the Domain Name System (DNS) protocol for communication or exfiltration of data. If exfiltration is occuring over DNS, it will often be at a very low data rate. Secureworks Secureworks® Taegis™ XDR analyzes all DNS traffic to determine when DNS queries might be performed by malware. If any of your hosts have recently made DNS queries to a domain that Secureworks® Taegis™ XDR considers suspicious, you will see Suspicious DNS Activity alerts related to those hosts. You might see such alerts even if your hosts made just one DNS query to the suspicious domain. An example of malware that exfiltrated data over the DNS protocol is Framework POS, which attempts to transmit compromised credit card information via DNS exfiltration.
Suspicious DNS Activity Alert
A stream of DNS traffic made by malware has certain characteristics that distinguish it from typical DNS traffic. Secureworks® Taegis™ XDR watches for these patterns of DNS traffic. When it identifies a domain that is likely to be malicious, an alert is generated for each host that has made a DNS request to that domain (up to 25 unique hosts) in the recent past (about 30 days). Each alert contains an estimated count of the number of DNS requests made by that host. The alert refers to at least one specific DNS request made by that host to the suspicious domain.
What Makes DNS Activity Suspicious ⫘
There are no absolute rules for determining that a domain is likely suspicious. A domain with any combination of the following characteristics—to varying degress—could cause Secureworks® Taegis™ XDR to consider a domain suspicious:
- Unusually Long DNS Queries — A query for a short host, like
www.sampledomain.com, is less suspicious than one that specifies a very long hostname.
- High Variety of text in Queries — Traffic to a typical domain tends to be more repetitive.
- Rarity — A domain is less suspicious if traffic to it originates from many places.
- Atypical Queries — DNS queries that seem random, machine-generated, or encrypted, as opposed to those with patterns or that contain English words.
Alerts pushed to the Secureworks® Taegis™ XDR Alert Database and Secureworks® Taegis™ XDR Dashboard.
MITRE ATT&CK Category ⫘
MITRE Enterprise ATT&CK - Exfiltration - Exfiltration Over Alternative Protocol. For more information, see MITRE Technique T1048.
Configuration options: ⫘
Detector Requirements ⫘