AN1148: Analytic 1148
Monitor DNS queries, proxy logs, and user-agent strings for anomalous patterns associated with adversary attempts to hide infrastructure. Defenders may observe DNS resolutions to short-lived domains, abnormal WHOIS registration data, or filtering of known defensive/responder IP addresses.
Analyst context for executives and security teams
This analytic is about spotting infrastructure-hiding behavior through network-facing evidence: DNS queries, proxy activity, user-agent strings, short-lived domains, unusual WHOIS details, and signs that defensive or responder IPs may be filtered. For leaders, the practical value is validating whether the organization can see adversary infrastructure choices early enough to support containment, blocking, and incident scoping decisions.
Executive priority
Prioritize this as a visibility and response-readiness question: do SOC and incident response teams have usable DNS, proxy, and HTTP user-agent evidence for Windows environments, and can they correlate it quickly enough to support business continuity decisions? This analytic can also support audit and compliance evidence by demonstrating monitoring for suspicious external communications, but the supplied ATT&CK object does not specify a tactic, technique relationship, or guaranteed detection outcome.
Technical view
For Windows-relevant monitoring, validate collection and retention of DNS query logs, proxy logs, HTTP user-agent strings, and enrichment sources that can identify short-lived domains or abnormal WHOIS registration attributes. Detection engineering should focus on anomalous combinations rather than single indicators: unusual domain age or churn, unexpected user-agent values, proxy destinations with suspicious registration characteristics, and access patterns suggesting filtering of known defensive or responder IP ranges. Because no official detection logic is supplied, teams must define local baselines and test against their own proxy, DNS, and enrichment data quality.
Likely telemetry
- DNS query and resolution logs
- Proxy logs and web gateway records
- HTTP request metadata, especially user-agent strings
- Domain registration or WHOIS enrichment data
- Domain age, domain churn, or short-lived domain indicators
Detection direction
- Confirm DNS and proxy logging coverage for Windows systems and ensure logs include timestamps, source host or user context, destination domain, and request metadata where available.
- Baseline normal user-agent strings and investigate rare, malformed, or environment-inconsistent values before treating them as malicious.
- Tune for combinations of suspicious signals, such as newly observed domains plus unusual user-agent strings or proxy activity to domains with abnormal registration details.
- Validate enrichment reliability for WHOIS and domain-age data; missing or delayed enrichment is a likely blind spot.
- Account for false positives from legitimate short-lived infrastructure, content delivery, testing environments, privacy services, and newly registered business domains.
Mitigation priorities
- Establish or verify centralized DNS and proxy logging with retention aligned to incident response needs.
- Add domain registration, age, and reputation-style enrichment where governance permits, and document data quality limitations.
- Standardize web and proxy policy review for unusual user-agent behavior and suspicious newly observed domains.
- Ensure incident response playbooks include steps to pivot from DNS/proxy/user-agent anomalies to affected Windows hosts, users, and time windows.
- Use findings to prioritize gaps in network monitoring, enrichment, and alert triage rather than relying on single-indicator blocking alone.
Analyst notes and limits
The supplied object is a detection analytic, not a technique description. It provides useful monitoring themes but no formal detection logic, tactics, relationships, or procedure examples. Treat it as a coverage validation prompt for DNS, proxy, user-agent, and domain-registration visibility.
This take is limited to the official STIX fields, external reference, and supplied relationship context. No active exploitation, attribution, specific ATT&CK technique relationship, detection coverage, or non-Windows platform applicability is implied.
Analytic 1148
Monitor DNS queries, proxy logs, and user-agent strings for anomalous patterns associated with adversary attempts to hide infrastructure. Defenders may observe DNS resolutions to short-lived domains, abnormal WHOIS registration data, or filtering of known defensive/responder IP addresses.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c511a00c8a27… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1148Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.