AN1331: Analytic 1331
Identify repeated DNS resolutions where the same domain name returns multiple IPs in short succession, combined with low TTL values and high query volume from unusual processes. Correlate with process lineage (e.g., Office apps spawning abnormal DNS lookups).
Analyst context for executives and security teams
Analytic 1331 is useful because it focuses on DNS behavior that may reveal rapidly shifting infrastructure: the same domain resolving to multiple IP addresses in a short period, low TTL values, high query volume, and DNS lookups coming from unusual Windows processes. For leaders, the value is not the analytic alone but whether the organization can connect DNS activity to the process and user context needed to make fast containment decisions.
Executive priority
Prioritize this as a visibility and response-readiness check for Windows environments. The business question is whether SOC and IR teams can prove which endpoint process generated suspicious DNS activity, distinguish it from legitimate CDN or cloud behavior, and act before an investigation depends on incomplete DNS-only evidence. It also supports compliance and audit conversations around endpoint monitoring, DNS logging, and incident evidence quality.
Technical view
On Windows, validate that detection content can identify repeated resolutions where one domain returns multiple IPs in short succession, with low TTLs and elevated query volume, and then correlate those events to process lineage. The supplied analytic specifically calls out unusual processes and examples such as Office applications spawning abnormal DNS lookups. Because no tactic, relationship, or formal detection logic is supplied, teams should treat this as a detection engineering requirement rather than a ready rule.
Likely telemetry
- DNS query and response logs including domain, timestamp, returned IP addresses, response code, and TTL
- Endpoint telemetry that attributes DNS lookups or network connections to a Windows process
- Process creation and parent-child process lineage, especially for Office applications and other user-facing processes
- Host identity, user identity, and device context for scoping and triage
- Baseline data for normal domain resolution patterns, common CDN/cloud domains, and expected process DNS behavior
Detection direction
- Confirm DNS telemetry preserves TTL and returned IP values; many environments log queries but not enough response detail for this analytic.
- Tune time windows and thresholds for 'multiple IPs in short succession' and 'high query volume' using local baselines.
- Correlate suspicious domains with process lineage before alert escalation; DNS-only alerts may be noisy.
- Create allowlist or suppression logic for legitimate CDN, SaaS, cloud load-balancing, and software update patterns that can resemble rapid IP rotation.
- Review detections for Office applications or other unusual parent processes generating abnormal DNS lookups, while accounting for legitimate add-ins, macros, and integrations.
Mitigation priorities
- First, close visibility gaps: ensure Windows endpoint, DNS response, and process lineage telemetry are collected and retained together.
- Next, define normal DNS behavior for major business applications, CDNs, and cloud services to reduce false positives.
- Apply least-privilege and application control policies where appropriate for user-facing applications that should not generate unusual child-process or network behavior.
- Use DNS security controls, filtering, and response procedures to support containment when suspicious domains are confirmed.
- Integrate this analytic into IR playbooks so analysts know how to pivot from domain activity to host, process, user, and affected business system.
Analyst notes and limits
The supplied object is a detection analytic, not an ATT&CK technique. It is limited to Windows and provides a behavioral description but no official detection logic, tactics, mitigations, or relationships. The strongest defensive value comes from validating telemetry joins across DNS, endpoint process activity, and lineage.
No active exploitation, attribution, ATT&CK tactic mapping, or relationship context is supplied. Local environment baselines are required to separate suspicious rapidly changing DNS behavior from legitimate CDN, SaaS, cloud, and update infrastructure.
Analytic 1331
Identify repeated DNS resolutions where the same domain name returns multiple IPs in short succession, combined with low TTL values and high query volume from unusual processes. Correlate with process lineage (e.g., Office apps spawning abnormal DNS lookups).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fded97b888eb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1331Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.