AN0109: Analytic 0109

Correlate high-frequency or anomalous DNS query activity with processes that do not normally generate network requests (e.g., Office apps, system utilities). Detect pseudo-random or high-entropy domain lookups indicative of domain generation algorithms (DGAs).

EnterpriseAN0109AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because unusual DNS activity can be an early signal of malware command-and-control preparation or automated domain lookup behavior before a larger incident becomes obvious. For leaders, the decision point is whether Windows endpoint, DNS, and process telemetry can be correlated well enough to distinguish normal business software from suspicious lookups by Office applications or system utilities that should not usually initiate network requests.

Executive priority

Prioritize this as a validation item for SOC readiness and incident response triage, not as a standalone control. It helps answer whether the organization can connect DNS evidence to the originating Windows process when investigating potential command-and-control behavior. The business value is faster containment decisions, better audit evidence for monitoring coverage, and clearer prioritization of endpoint and DNS logging investments.

Technical view

For Windows environments, validate the ability to correlate DNS query volume, query randomness or entropy, and originating process context. Detection engineering should focus on high-frequency or anomalous DNS queries from processes that do not normally generate network traffic, including Office applications and system utilities as described by the ATT&CK analytic. Because no ATT&CK detection logic is provided, local baselining is required to define normal query rates, expected process behavior, and acceptable high-entropy domain patterns.

Likely telemetry

DNS query logs with queried domain, timestamp, host, and response metadata where available
Endpoint process creation and process lineage telemetry on Windows
Network connection telemetry tied to process identity where available
Host identity and user context for the system generating the DNS activity
Historical baselines for normal DNS volume and normal network-capable processes

Detection direction

Confirm DNS logs can be joined to Windows endpoint process telemetry; DNS-only alerts may lack enough context for reliable triage.
Baseline common business applications and system utilities to reduce false positives from legitimate update, telemetry, or cloud-service behavior.
Tune for combinations of indicators: high-frequency queries, anomalous process source, and pseudo-random or high-entropy domain names rather than any single condition alone.
Review blind spots where DNS is encrypted, forwarded, cached, or logged only at a resolver without endpoint process attribution.
Create triage guidance for analysts to inspect process lineage, user context, query patterns, and whether the process normally performs network activity in the local environment.

Mitigation priorities

Ensure Windows endpoint telemetry and DNS logging are enabled, retained, and joinable for investigations.
Establish normal DNS behavior baselines by host role, user population, and common applications before alerting aggressively.
Restrict or monitor unexpected network activity from Office applications and system utilities where policy and operations allow.
Document response procedures for suspicious DNS/process correlation findings, including host isolation criteria and evidence preservation.
Use findings from this analytic to inform broader endpoint hardening, DNS monitoring, and incident response readiness assessments.

Analyst notes and limits

ATT&CK provides this as detection analytic AN0109 for Windows, describing correlation of anomalous DNS query activity with processes that do not normally generate network requests and identification of pseudo-random or high-entropy domains associated with DGAs. No tactic, detection logic, or relationship context was supplied, so implementation should be treated as a local engineering exercise rather than a complete MITRE-provided rule.

The supplied object has no official detection field, no tactics, and no relationships. This take does not assert active exploitation, attribution, guaranteed detection, or applicability beyond Windows. Effectiveness depends on local DNS architecture, endpoint telemetry quality, process attribution, and environment-specific baselining.

Official MITRE ATT&CK definition

Analytic 0109

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 25464435f67ee884...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`25464435f67e…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0109
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use