AN1121: Analytic 1121
Detects high-frequency or anomalous DNS queries initiated by non-browser, non-system processes (e.g., PowerShell, rundll32, python.exe) used to establish command and control via DNS tunneling.
Analyst context for executives and security teams
This analytic matters because DNS is often allowed through enterprise networks, so unusual DNS activity from tools like PowerShell, rundll32, or python.exe can be a practical signal of command-and-control behavior using DNS tunneling. For leaders, the decision point is whether the organization can distinguish normal business DNS use from high-frequency or anomalous DNS activity generated by non-browser, non-system Windows processes.
Executive priority
Prioritize validation where Windows endpoints, DNS logging, and SOC correlation are expected to provide evidence during an incident. This is useful for business resilience and audit readiness because it tests whether a common network service can be monitored well enough to support containment decisions. Budget and control discussions should focus on DNS visibility, endpoint process context, and the ability to investigate suspicious process-to-DNS behavior without relying on a single telemetry source.
Technical view
For SOC and detection teams, validate that Windows endpoint telemetry can associate DNS queries with initiating processes and that DNS infrastructure logs preserve query frequency and destination context. The analytic is specifically framed around high-frequency or anomalous DNS queries from non-browser, non-system processes such as PowerShell, rundll32, and python.exe. Because no official detection logic is supplied, teams should treat this as a detection objective rather than a ready-to-deploy rule and tune baselines against local administrative tools, automation, developer workflows, and security products that may legitimately generate DNS traffic.
Likely telemetry
- Windows endpoint process execution telemetry
- Process-to-network or process-to-DNS correlation data
- DNS query logs from resolvers or endpoint sensors
- Command-line and parent-process context for non-browser processes
- Query volume, frequency, domain, and timing metadata
Detection direction
- Confirm whether DNS queries can be attributed to the initiating Windows process, not only to the host.
- Baseline normal DNS volume and destinations for non-browser, non-system processes before alerting on frequency alone.
- Review PowerShell, rundll32, python.exe, and similar interpreters or utilities generating unusual DNS patterns.
- Tune for known administrative scripts, development tooling, monitoring agents, and security tools to reduce false positives.
- Correlate anomalous DNS behavior with process lineage and command-line context to support triage.
Mitigation priorities
- Ensure DNS logging and endpoint telemetry collection are enabled and retained for incident investigation.
- Limit unnecessary use of scripting and interpreter tools where business operations permit.
- Apply least privilege and application control principles to reduce unauthorized execution of non-browser tooling.
- Route enterprise DNS through monitored resolvers where feasible and governed by policy.
- Use incident response playbooks that include process containment, DNS evidence preservation, and review of suspicious query patterns.
Analyst notes and limits
This object is a detection analytic, not a technique description. It provides a clear behavioral focus: anomalous or high-frequency DNS queries from non-browser, non-system Windows processes associated with DNS tunneling command and control. There are no supplied ATT&CK relationships, tactics, or official detection logic, so local implementation must define thresholds, baselines, and triage criteria.
The supplied ATT&CK fields do not include a detection query, data component mappings, relationships, or tactics. This take is limited to Windows because that is the only platform provided. Effectiveness depends on local DNS visibility, endpoint process attribution, retention, and tuning against legitimate non-browser DNS activity.
Analytic 1121
Detects high-frequency or anomalous DNS queries initiated by non-browser, non-system processes (e.g., PowerShell, rundll32, python.exe) used to establish command and control via DNS tunneling.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2def7f8e859c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1121Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.