This note documents detection patterns related to Suspicious DNS Activity within Windows environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Sysmon	22	DNS query	Critical	Primary host-level DNS telemetry.
Security	5156	Allowed connection	High	Correlate DNS resolution with outbound flow.
Sysmon	3	Network connection	Critical	Confirms connection after DNS resolution.
Sysmon	1	Process creation	Critical	Identifies querying process lineage.
Security	4688	Process creation	High	Parent-child correlation.
DNS Server Logs	N/A	Resolver-side query records	Critical	Strong enterprise pivot source.
EDR Telemetry	N/A	Process-to-DNS mapping	Critical	Highest-value lineage source.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
High-entropy domain	Random-looking labels	Critical	Common DGA indicator.
Excessive subdomains	Long subdomain chains	Critical	DNS tunneling indicator.
Rare domain queried by LOLBIN	powershell / certutil / rundll32	Critical	Strong malicious signal.
TXT query abuse	Unusual TXT retrieval	High	Payload retrieval / beaconing.
NXDOMAIN bursts	Many failed lookups	High	DGA or fallback logic.
Newly registered domain	Fresh IOC	High	Campaign infrastructure clue.
Repeating interval queries	Periodic beacon timing	Critical	C2 heartbeat indicator.

Common Tools

Tool	Usage
PowerShell	DNS resolution and web retrieval
nslookup.exe	Manual lookup or script usage
certutil.exe	Retrieval with domain resolution
curl.exe	DNS before HTTP fetch
malware beacons	DGA / TXT / C2 resolution
custom implant	DNS tunneling or staged comms

Relevant Artifacts

Sysmon Event ID 22
Sysmon Event ID 3
Sysmon Event ID 1
Security Event ID 5156
Security Event ID 4688
DNS cache (ipconfig /displaydns)
DNS server logs
Firewall logs
EDR DNS lineage
Prefetch for querying binary

MITRE ATT&CK References

T1071.004 DNS
T1568 Dynamic Resolution
T1048 Exfiltration Over Alternative Protocol
T1105 Ingress Tool Transfer

Decision Tree

Which process queried DNS?
- Image
- Parent process
Domain suspicious?
- Entropy
- Age
- Reputation
Query type unusual?
- TXT
- AAAA
- Excessive subdomains
Followed by connection?
- Sysmon 3
- Firewall logs
Expand:
- Beacon interval
- Payload retrieval
- Additional domains
Scope:
- Single host
- Enterprise spread
- Shared IOC

Example Detection Templates

KQL

Sysmon
| where EventID == 22
| project TimeGenerated, Computer, Image, QueryName, QueryStatus

Sysmon
| where EventID == 22
| where Image has_any ("powershell.exe","cmd.exe","rundll32.exe","certutil.exe","mshta.exe")
| project TimeGenerated, Computer, Image, QueryName

EQL

dns where process.name in ("powershell.exe","rundll32.exe","certutil.exe","mshta.exe")

sequence by host.name with maxspan=5m
  [ dns where dns.question.name != null ]
  [ network where destination.ip != null ]

Sigma

title: Suspicious DNS Query Activity
id: 91c6e3d2-suspicious-dns
status: experimental
description: Detects suspicious DNS lookups by common attacker processes
references:
  - https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 22
    Image|endswith:
      - '\powershell.exe'
      - '\rundll32.exe'
      - '\certutil.exe'
      - '\mshta.exe'
  condition: selection
fields:
  - Image
  - QueryName
falsepositives:
  - Administrative scripts
level: high
tags:
  - attack.command_and_control
  - attack.t1071.004

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Sysmon DNS logging	Enable Event 22	Critical	Core host DNS visibility
DNS server logging	Retain enterprise resolver logs	Critical	Best broad visibility
Domain reputation enrichment	Add age / threat intel	High	Speeds triage
LOLBIN monitoring	Alert on DNS-active binaries	High	Strong overlap with abuse
Egress correlation	Tie DNS to outbound flows	Critical	Confirm malicious chain