Related content

Indicators of compromise (IoCs) are pieces of forensic evidence that identifies malicious activity and helps detect the presence of potential threat actors in your network. Here are a few DNS IoCs that you should watch out for in your DNS server and traffic logs.

Unusual domain name requests

The domain names to the C&C servers are usually random like 'asdggj.com' or '12.345.672.hujist.com'. If such domain names are encountered in the logs, they should be immediately blacklisted. Also, top level domain names such as .tk and .ru are suspicious and should be looked into for malicious activity.

Abnormal volume of DNS

When a large number of DNS queries occur in a short span of time to unusual domain names, it is a sure sign of malicious activity. If these queries occur at odd hours, it's possible that the querying systems are infected.

Unusual DNS query failures

Suspicious domain names can be blocked upon discovery. As a way around this, attackers use Domain Generation Algorithms (DGA) in their malware. The DGAs generate a large number of domain names everyday, a few of which could be used to successfully connect to the C&C server. . Since not every name is a successful connection, monitoring your logs for failed DNS queries can lead you to the infected systems.

These IoCs have a very short lifespan, becoming obsolete in mere hours, and need to be acted upon quickly. Their discovery can be easily automated provided you have the right settings with the right solution.

ManageEngine's Log360 is a one stop solution that helps enterprises mitigate external and internal threats with alerting, data security, event correlation, threat intelligence and more. It has a built-in STIX/TAXII feeds processor and a global IP threat database that can instantly detect known malicious traffic passing through the network as well as outbound connections to malicious domains and callback servers. The advanced threat analytics add-on gives deeper insights into the threats. Click here to explore more features.

What's next?

Interested to know more about the advanced network security features of Log360? Explore the free, 30-day trial with technical assistance.

Download Get a product tour
On this page
 
  • Unusual domain name requests
  • Abnormal volume of DNS
  • Unusual DNS query failures