Unusual DNS Activity
A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/03/25"
3integration = ["endpoint", "network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/07/27"
8
9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains.
14This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user
15clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload
16from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware
17uses for command-and-control communication.
18"""
19false_positives = [
20 """
21 A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
22 alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are
23 browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may
24 trigger this alert.
25 """,
26]
27from = "now-45m"
28interval = "15m"
29license = "Elastic License v2"
30machine_learning_job_id = "packetbeat_rare_dns_question"
31name = "Unusual DNS Activity"
32references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
33risk_score = 21
34rule_id = "746edc4c-c54c-49c6-97a1-651223819448"
35severity = "low"
36tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"]
37type = "machine_learning"
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1071"
43name = "Application Layer Protocol"
44reference = "https://attack.mitre.org/techniques/T1071/"
45
46 [[rule.threat.technique.subtechnique]]
47 id = "T1071.004"
48 name = "DNS"
49 reference = "https://attack.mitre.org/techniques/T1071/004/"
50
51
52[rule.threat.tactic]
53id = "TA0011"
54name = "Command and Control"
55reference = "https://attack.mitre.org/tactics/TA0011/"```
References
Related rules
- DNS Tunneling
- Unusual Web Request
- Unusual Web User Agent
- Anomalous Linux Compiler Activity
- Anomalous Process For a Linux Population