AN1179: Analytic 1179
Identify processes issuing repeated DNS queries to random-looking domains with abnormal entropy or word concatenations. Correlate resolver logs with high NXDOMAIN rates and auditd socket connections.
Analyst context for executives and security teams
This analytic matters because repeated DNS lookups to random-looking or high-entropy domains can be an early signal that a Linux workload is communicating with automated infrastructure, such as algorithmically generated domains or other suspicious name-resolution patterns. For leaders, the practical question is whether DNS and Linux process telemetry are good enough to connect suspicious resolver activity back to the responsible process before an investigation becomes slower and more disruptive.
Executive priority
Prioritize this as a visibility and response-readiness check for Linux environments. The business value is not just detecting unusual DNS names; it is proving that SOC and incident response teams can tie abnormal DNS behavior, high NXDOMAIN rates, and socket activity to a specific process or host. That evidence supports faster containment decisions, stronger audit defensibility, and better prioritization of Linux monitoring investments.
Technical view
For Linux systems, validate whether resolver logs can be correlated with host-level process and network evidence, especially auditd socket connections. The analytic focuses on processes that issue repeated DNS queries to domains with abnormal entropy or word-concatenation patterns, combined with high NXDOMAIN rates. Detection engineering should test correlation across DNS query volume, domain randomness characteristics, resolver response codes, host identity, process identity, and timing. Because no ATT&CK tactic or relationship context is supplied, treat this as a behavior-specific analytic rather than a complete technique coverage claim.
Likely telemetry
- DNS resolver logs, including queried domain, source host, timestamp, and response code
- NXDOMAIN response rates by host, process context where available, and time window
- Linux auditd records for socket connections
- Host process metadata associated with network activity
- Asset and workload inventory for Linux systems to distinguish expected resolvers, agents, and application behavior
Detection direction
- Validate that DNS logs and Linux auditd telemetry can be joined reliably by host and time; process-level attribution is the key coverage question.
- Tune for repeated queries to random-looking domains using entropy, unusual word concatenation, and high NXDOMAIN rates rather than single suspicious lookups.
- Baseline legitimate Linux services, security tools, package managers, service discovery, and application frameworks that may generate unusual or failed DNS traffic.
- Review blind spots such as systems not forwarding resolver logs, local caching resolvers that obscure the originating process, containers or ephemeral workloads with weak host attribution, and auditd configurations that do not capture relevant socket activity.
- Use this analytic as a triage lead requiring enrichment, not as standalone proof of malicious activity.
Mitigation priorities
- First ensure Linux DNS logging, resolver visibility, and auditd socket monitoring are enabled where operationally appropriate.
- Establish baselines for expected DNS failure rates and domain patterns across Linux server roles and workloads.
- Create investigation playbooks that map suspicious DNS patterns to host, process, owner, and business service before containment decisions.
- Reduce exposure from unmonitored or unmanaged Linux assets by improving inventory and logging coverage.
- Document telemetry retention and correlation capability as compliance and incident-response evidence.
Analyst notes and limits
The supplied object is a detection analytic, AN1179, for Linux. It describes identifying repeated DNS queries to random-looking domains and correlating resolver logs with high NXDOMAIN rates and auditd socket connections. No tactics, detection text beyond the description, aliases, labels, or relationship context were supplied.
This take is limited to the official STIX fields, external reference, and empty relationship context provided. It does not assert active exploitation, attribution, impact, or complete detection coverage. Local validation is required to determine whether the organization collects the necessary DNS, auditd, process, and asset telemetry.
Analytic 1179
Identify processes issuing repeated DNS queries to random-looking domains with abnormal entropy or word concatenations. Correlate resolver logs with high NXDOMAIN rates and auditd socket connections.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 24adbcb5f62f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1179Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.