Suspicious DNS Query
Description: A DNS query to an unexpected domain can be an indicator of abnormal activity on a host. If a domain has been marked as malicious, an investigator may be tasked with determining what caused the DNS query (or response) and if it indicates the host has been compromised.
What application was responsible for the DNS query? F1004
What application made a DNS request is important for determining if it is likely legitimate or not. The source also impacts further investigative steps (depending on if
chrome.exe were responsible, different artifacts would be useful).
- Q1018 What process made the DNS query?
- Q1073 Have there been any modifications to the "hosts" file?
Was a user's web browsing the cause of a given DNS query? F1005
Understanding if a user's actions in a web browser caused a particular DNS query is valuable context when investigating a suspicious DNS query. If the query is related to the user's actions, closer scrutiny of their browser activity may make sense. If the DNS doesn't appear related, you may need to look into the actions of other non-browser processes.
- Q1019 What web browsers were running at a given time?
- Q1020 What pages did web browsers visit?
- Q1024 Was an Incognito/Private browser session used?
- Q1072 Did Chrome's DNS Prefetching cause a DNS query?
Was a browser extension responsible for a DNS query? F1006
A malicious (or potentially unwanted) extension may generate DNS queries itself, inject or modify legitimate requests, or manipulate the user's browsing experience in some other way.
- Q1021 What Chrome extensions are installed?
- Q1022 What actions did a Chrome extension perform?
- Q1023 Is a given Chrome extension associated with a given domain?