Unusual DNS Activity

A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "network_traffic"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8anomaly_threshold = 50
 9author = ["Elastic"]
10description = """
11A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains.
12This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user
13clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload
14from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware
15uses for command-and-control communication.
16"""
17false_positives = [
18    """
19    A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
20    alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are
21    browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may
22    trigger this alert.
23    """,
24]
25from = "now-45m"
26interval = "15m"
27license = "Elastic License v2"
28machine_learning_job_id = "packetbeat_rare_dns_question"
29name = "Unusual DNS Activity"
30references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
31risk_score = 21
32rule_id = "746edc4c-c54c-49c6-97a1-651223819448"
33severity = "low"
34tags = [
35    "Use Case: Threat Detection",
36    "Rule Type: ML",
37    "Rule Type: Machine Learning",
38    "Tactic: Command and Control",
39]
40type = "machine_learning"
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1071"
45name = "Application Layer Protocol"
46reference = "https://attack.mitre.org/techniques/T1071/"
47[[rule.threat.technique.subtechnique]]
48id = "T1071.004"
49name = "DNS"
50reference = "https://attack.mitre.org/techniques/T1071/004/"
51
52
53
54[rule.threat.tactic]
55id = "TA0011"
56name = "Command and Control"
57reference = "https://attack.mitre.org/tactics/TA0011/"

References

Related rules

to-top