Malicious Communication Queries
As part of their attack cycle, attackers will attempt to perform communication with malicious locations, such as malicious domains or IP addresses
The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.
Each of these examples is formatted with the individual Element in the query on its own separate line, in bold text. Features (filters) applied to the Element follow the Element name in regular weight text. Each example also contains a description of the goal of the hunt and the explanatory statement of what you want to find.
In this topic:
DNS requests and connections to unknown domains
Goal: Search for DNS requests and connections to domains I do not know
Explanatory statement: I want to find DNS requests and connections to domains that have an unknown classification.
Construct one of the following queries:
Query 1
DNS Query Resolved Domain to Domain Element
Target Domain Element -> filter for Reputation is Unresolved domain
Query 2
Connection Element
URL Domains Element -> filter for Reputation is Unresolved domain
Outbound communication to a hostile domain
Goal: Search for communication to known hostile domains
Explanatory statement: I want to find evidence of communication to hostile domains by finding connections to domains classified as malicious or hostile.
Construct this query:
Connection Element -> filter for Direction is Outgoing or Outgoing (Guessed)
URL Domains Element -> filter for Reputation is Blocklisted OR Malware OR Sinkholed domain OR Unresolved domain
Communication with dynamic DNS servers
Goal: Search for connections with a dynamic DNS servers (usually always an indicator of malicious behavior)
Explanatory statement: I want to find evidence of connections made to servers that use a dynamic DNS configuration.
Construct this query:
Connection Element -> filter for Remote Address Type is Dynamic Configuration
