AN1122: Analytic 1122
Detects local daemons or scripts generating outbound DNS queries with long or frequent subdomains, indicative of DNS tunneling via tools like `iodine`, `dnscat2`, or `dig` from cronjobs or reverse shells.
Analyst context for executives and security teams
AN1122 is a Linux-focused detection analytic for spotting outbound DNS activity with unusually long or frequent subdomains from local daemons or scripts. For leaders, the value is that DNS is often broadly allowed and can become a blind spot for covert command-and-control or data movement if network and host telemetry are not retained and reviewed.
Executive priority
Prioritize this as a control-validation item where Linux servers, scheduled jobs, automation, or internet egress are business-critical. Executives should ask whether DNS egress is monitored, whether long or high-volume subdomain patterns are visible, and whether incident responders can quickly tie suspicious DNS traffic back to the originating Linux process, script, service, or account. This supports resilience, audit evidence for egress monitoring, and practical SOC readiness without assuming confirmed malicious activity.
Technical view
Validate that the SOC can detect Linux hosts generating outbound DNS queries with long or frequent subdomains, especially when the source appears to be a local daemon, scheduled script, cron-driven process, reverse shell context, or command-line tooling such as dig. Because no ATT&CK tactic or detailed detection logic is supplied, teams should treat AN1122 as a detection objective rather than a complete rule. The key technical question is whether DNS telemetry can be correlated with Linux process, service, user, and scheduling evidence.
Likely telemetry
- DNS query logs with full query names, source host, timestamp, and resolver path
- Network egress logs showing DNS traffic from Linux systems
- Linux process execution telemetry for DNS-related command-line activity
- Linux service or daemon execution records
- Cron or scheduled job logs
Detection direction
- Baseline normal DNS query length, subdomain depth, and query frequency for Linux server roles before setting thresholds.
- Alert on unusually long or high-frequency subdomain queries, especially when repeated from the same Linux host or service context.
- Correlate DNS anomalies with process execution, cron activity, local scripts, daemons, or shell activity to reduce false positives.
- Review legitimate sources of high-volume DNS such as monitoring agents, service discovery, package managers, backup tools, and internal automation.
- Confirm visibility is not limited to recursive resolver aggregate logs only; host attribution is important for triage.
Mitigation priorities
- Restrict and monitor DNS egress so Linux systems use approved resolvers where operationally feasible.
- Maintain Linux process, scheduling, and DNS logging sufficient to support incident triage.
- Review cron jobs, local scripts, and daemon configurations on systems producing anomalous DNS patterns.
- Apply least privilege to service accounts and automation that can initiate outbound network activity.
- Use asset criticality and business role to prioritize investigation of DNS anomalies from sensitive Linux servers.
Analyst notes and limits
This object is a detection analytic, not a technique description. The supplied ATT&CK fields identify Linux as the platform and describe suspicious outbound DNS patterns involving long or frequent subdomains from local daemons or scripts. No relationship context, tactic mapping, or official detection logic was supplied, so the take focuses on validation questions and telemetry requirements rather than a prescriptive rule.
No official detection content, ATT&CK tactics, relationships, threat actor context, impact claims, or active exploitation evidence were supplied. Local baselines are required to distinguish suspicious DNS tunneling indicators from legitimate high-volume or automation-driven DNS behavior.
Analytic 1122
Detects local daemons or scripts generating outbound DNS queries with long or frequent subdomains, indicative of DNS tunneling via tools like `iodine`, `dnscat2`, or `dig` from cronjobs or reverse shells.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 271136fcc65f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1122Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.