Surge in DNS requests to domains with randomised subdomains from multiple internal hosts.

A surge in DNS requests to domains with randomised subdomains from multiple internal hosts. What steps would you take to investigate this activity using the Cyber Kill Chain model?

Investigating a surge in DNS requests to domains with randomised subdomains using the Cyber Kill Chain model involves systematically analysing the activity at each stage of the attack lifecycle.

Determine if the activity is part of an attacker's reconnaissance effort.

Analyse DNS logs to identify patterns in the randomised subdomains
Check if the domains are associated with known malicious actors or threat intelligence feeds.
Look for signs of domain generation algorithms (DGAs) commonly used by malware.

Identify if the DNS requests are part of a weaponised payload delivery mechanism.

Correlate DNS requests with other network traffic to see if they are part of a larger attack chain.
Check for suspicious files or processes on the internal hosts making the requests.
Look for signs of command-and-control (C2) communication in the DNS traffic.

Determine how the malicious activity was delivered to the internal hosts.

Investigate email logs, web browsing history, or file downloads for potential delivery vectors
Check for unauthorised software or scripts that may have been executed.

Identify if the DNS requests are a result of an exploited vulnerability.

Review system and application logs for signs of exploitation
Check for known vulnerabilities in the software or systems on the affected hosts.

Determine if malware or persistence mechanisms have been installed.

Perform endpoint analysis to detect malware, backdoors, or other malicious software.
Look for persistence mechanisms such as scheduled tasks, registry modifications, or new services.

Confirm if the DNS requests are part of C2 communication.

Analyse DNS traffic for patterns indicative of C2
Check if the resolved IP addresses are associated with known malicious infrastructure.
Use threat intelligence to identify if the domains or IPs are part of a botnet or other C2 network.

Determine the attacker's end goal and mitigate the impact.

Identify any data exfiltration, lateral movement, or other malicious activities.
Contain affected systems to prevent further spread.
Collect forensic evidence for further analysis and reporting.

Surge in DNS requests to domains with randomised subdomains from multiple internal hosts.

Post a Comment

Threat Research Advisory - When Your Company Hits the Darknet: Navigating the Surge in High-Validity Combolist-as-a-Service Threats

Cyber Security Alert - Cisco Addresses Multiple Vulnerabilities in Cisco Nexus Software

Cyber Security Alert - SonicWall Updates Advisory with Urgent Warning Regarding CVE-2024-40766: Potential Exploitation in the Wild

Incident Response Methodologies: SOPs (Standard Operating Procedures) / Playbooks / Runbooks

Cyber Security Alert - Windows Elevation of Privilege Vulnerability Chain-PoC Exploit Released

Cyber Security Alert-Ivanti Security Advisory EPM September 2024 Addresses Multiple Vulnerabilities in Endpoint Manager

How to Eliminate the Threat Posed by Remote Access

Cybersecurity Concepts | From Threats to Breaches

Selecting the Right Framework for Threat Intelligence Teams

Understanding the STRIDE Threat Modeling Framework

Contact Form