AN1178: Analytic 1178
Correlate DNS queries that generate domains with high entropy or gibberish patterns, combined with short-lived connections from unusual processes. Monitor Sysmon DNS events and Windows Security logs for abnormal query rates and failed lookups.
Analyst context for executives and security teams
This analytic matters because high-entropy or gibberish-looking DNS queries, especially when paired with short-lived connections from unusual Windows processes, can indicate automated or non-human network behavior that deserves SOC review. For leaders, the value is not the pattern alone; it is whether the organization can connect DNS activity, process context, and Windows event evidence quickly enough to support incident triage and containment decisions.
Executive priority
Prioritize this as a coverage validation item for Windows endpoint and DNS monitoring. The business question is whether security teams can prove they collect and correlate DNS queries, failed lookups, abnormal query rates, and process-level context. That evidence supports incident response readiness, managed detection quality, and compliance-style audit questions around monitoring effectiveness. Because no ATT&CK tactic or relationship context is supplied, treat it as a detection engineering control check rather than a standalone risk conclusion.
Technical view
On Windows, validate correlation between Sysmon DNS events, Windows Security logs, DNS query characteristics, process identity, query volume, failed lookups, and short-lived outbound connections. Detection engineering should focus on whether high-entropy or gibberish-pattern domains are being generated by unusual processes, and whether query bursts or repeated failures differ from expected enterprise software behavior. Since the official object provides no separate detection logic, teams should locally define thresholds, allowlists, and process baselines before operationalizing alerts.
Likely telemetry
- Sysmon DNS events on Windows endpoints
- Windows Security logs
- DNS query records, including queried domain names and lookup outcomes
- Process context associated with DNS activity
- Network connection metadata showing short-lived outbound connections
Detection direction
- Confirm Sysmon DNS telemetry is enabled and consistently collected from relevant Windows systems.
- Correlate domain entropy or gibberish-pattern scoring with process names, parent process context, and connection duration rather than alerting on domain appearance alone.
- Tune for abnormal query rates and failed lookups while accounting for legitimate software that generates randomized hostnames or performs frequent DNS checks.
- Baseline expected DNS behavior by host role and process to reduce false positives from browsers, update agents, security tools, and enterprise applications.
- Validate that alerts preserve enough evidence for triage: host, user if available, process, queried domain, lookup result, timestamp, and related connection metadata.
Mitigation priorities
- First, close telemetry gaps: ensure Windows DNS and security logging needed by the analytic is collected and retained.
- Next, establish baselines and tuning rules for legitimate high-volume or randomized DNS behavior in the environment.
- Then, integrate correlated DNS/process findings into SOC triage and incident response workflows with clear escalation criteria.
- Finally, review endpoint and network control posture for unusual processes initiating DNS activity, using local policy and risk context to decide containment or investigation steps.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, and it has no supplied tactics, relationships, aliases, labels, or separate detection section. The strongest use is as a practical validation of DNS/process correlation on Windows, especially for SOC and managed detection readiness.
This take is limited to the official fields provided. It does not establish attacker intent, malware family, campaign activity, impact, or guaranteed detection. Local environment baselines are required because high-entropy domains, failed lookups, and short-lived connections can occur in benign enterprise activity.
Analytic 1178
Correlate DNS queries that generate domains with high entropy or gibberish patterns, combined with short-lived connections from unusual processes. Monitor Sysmon DNS events and Windows Security logs for abnormal query rates and failed lookups.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ee1124ef767a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1178Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.