XDR DNS Query Non-Existant Domain (Internal domain)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XDR DNS Query Non-Existant Domain (Internal domain)

L1 Bithead

Hi Community,

 

Hope fellows can provide some insights. I have received a suspected DGA alert from my MSSP and upon validating with XDR, it shows Network Services is making such queries. As the domain is my internal domain with gibberish sub-domain, I'm fairly confident this is not a positive DGA incident. What might cause such behavior?



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
1 accepted solution

Accepted Solutions

L3 Networker

Hi Joseph, 

 

Looks like fast flux not DGA but if you dont have so many queries, this might be one of OS binary or service. (might not ofcourse)

I know chrome in some conditions are the root cause of the fast flux but with out doing deep dive analyses on the system, hard to imagine something. 

View solution in original post

1 REPLY 1

L3 Networker

Hi Joseph, 

 

Looks like fast flux not DGA but if you dont have so many queries, this might be one of OS binary or service. (might not ofcourse)

I know chrome in some conditions are the root cause of the fast flux but with out doing deep dive analyses on the system, hard to imagine something. 

  • 1 accepted solution
  • 1761 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!