Suspicious DNS Query

ID: S1003

Description: A DNS query to an unexpected domain can be an indicator of abnormal activity on a host. If a domain has been marked as malicious, an investigator may be tasked with determining what caused the DNS query (or response) and if it indicates the host has been compromised.

What application was responsible for the DNS query? F1004

What application made a DNS request is important for determining if it is likely legitimate or not. The source also impacts further investigative steps (depending on if powershell.exe or chrome.exe were responsible, different artifacts would be useful).

• Q1018  What process made the DNS query?
• Q1073  Have there been any modifications to the "hosts" file?

Was a user's web browsing the cause of a given DNS query? F1005

Understanding if a user's actions in a web browser caused a particular DNS query is valuable context when investigating a suspicious DNS query. If the query is related to the user's actions, closer scrutiny of their browser activity may make sense. If the DNS doesn't appear related, you may need to look into the actions of other non-browser processes.

• Q1019  What web browsers were running at a given time?
• Q1020  What pages did web browsers visit?
• Q1024  Was an Incognito/Private browser session used?
• Q1072  Did Chrome's DNS Prefetching cause a DNS query?

Was a browser extension responsible for a DNS query? F1006

A malicious (or potentially unwanted) extension may generate DNS queries itself, inject or modify legitimate requests, or manipulate the user's browsing experience in some other way.

• Q1021  What Chrome extensions are installed?
• Q1022  What actions did a Chrome extension perform?
• Q1023  Is a given Chrome extension associated with a given domain?