AN0728: Analytic 0728
Monitor DNS query results where subsequent connections use derived or unusual port numbers not explicitly resolved, especially when tied to suspicious processes. Correlate Sysmon DNS logs (Event ID 22) with process creation and socket activity.
Analyst context for executives and security teams
AN0728 is a Windows-focused detection analytic for spotting cases where DNS lookups are followed by network connections that use unusual or derived ports, especially from suspicious processes. Its business value is in validating whether the SOC can connect DNS activity, process execution, and socket behavior into one investigation path rather than reviewing each signal in isolation.
Executive priority
Prioritize this analytic where Windows endpoint visibility and outbound network monitoring are important to incident triage and audit evidence. The key leadership question is whether teams can prove which process performed a DNS lookup and what network connection followed, including destination port. Without that correlation, investigations may miss suspicious outbound behavior or spend extra time manually reconstructing activity.
Technical view
For Windows environments, validate correlation between Sysmon DNS logs, specifically Event ID 22, process creation telemetry, and socket or network connection activity. Detection engineering should test whether DNS query results can be joined to subsequent connections by host, process identity, time window, destination, and port. Because ATT&CK does not specify tactics or related techniques for this analytic, implementation should remain behavior-focused rather than attribution- or campaign-focused.
Likely telemetry
- Sysmon DNS query events, including Event ID 22
- Windows process creation events
- Process metadata such as executable path, parent process, command line, and process identifier where collected
- Socket or network connection activity from the endpoint
- Destination IP address, destination port, protocol, timestamp, and host identity
Detection direction
- Confirm Sysmon DNS logging is enabled and consistently collected from relevant Windows systems.
- Validate joins between DNS query results, process creation, and subsequent socket activity within an appropriate time window.
- Tune for connections that use unusual or derived ports not explicitly resolved in DNS context, especially when associated with suspicious or uncommon processes.
- Account for false positives from legitimate applications that use dynamic ports, service discovery, content delivery infrastructure, or custom update mechanisms.
- Measure blind spots where endpoint DNS telemetry, process creation logs, or socket activity are missing, delayed, or not normalized consistently.
Mitigation priorities
- Start with telemetry readiness: ensure DNS, process creation, and network connection evidence is collected and retained for investigation.
- Standardize endpoint logging configuration on Windows systems so correlation fields are available to the SOC.
- Review outbound network governance and egress monitoring for visibility into unusual destination ports.
- Use incident response playbooks that require analysts to pivot from DNS lookup to process lineage and network connection details.
- Document logging and correlation coverage as compliance or control evidence where required.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. The supplied ATT&CK content provides a concise analytic description but no official detection logic, tactics, relationships, or adversary context. Treat it as guidance for validating correlation coverage across DNS, process, and socket telemetry on Windows.
No relationship context, tactics, official detection code, or mitigation mappings were supplied. Local baselines are required to decide what counts as an unusual port, suspicious process, or meaningful time window. This take does not imply active exploitation, attribution, or guaranteed detection coverage.
Analytic 0728
Monitor DNS query results where subsequent connections use derived or unusual port numbers not explicitly resolved, especially when tied to suspicious processes. Correlate Sysmon DNS logs (Event ID 22) with process creation and socket activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 98888f1af342… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0728Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.